Critical SessionReaper Flaw: How to Protect Your Adobe Commerce & Magento Store from Account Hijacking
A critical security vulnerability, dubbed SessionReaper, has been discovered in Adobe Commerce and Magento Open Source, posing a significant threat to e-commerce stores and their customers. This flaw, identified as CVE-2024-34102, carries a critical severity rating of 9.1 out of 10 and can allow attackers to hijack user accounts, access sensitive personal information, and potentially conduct fraudulent activities.
If you are running an Adobe Commerce or Magento store, immediate action is required to protect your business and your customers.
What is the SessionReaper Vulnerability?
SessionReaper is a sophisticated exploit that takes advantage of a race condition within the platform’s session management system. In simple terms, a race condition is a flaw that occurs when the timing of two or more operations goes wrong, leading to an unexpected and insecure outcome.
In this case, the vulnerability arises when a user logs out of their account, particularly on a shared computer (like in a library or co-working space). The system is supposed to terminate the user’s session and clear all associated data immediately. However, the SessionReaper flaw creates a tiny window of opportunity where the old session data is not completely purged before a new session can begin.
An attacker can exploit this window to merge a victim’s sensitive session data—including their cart contents, personal details, and checkout information—with their own new session, effectively hijacking it.
How the Attack Works: A Step-by-Step Scenario
The attack vector for SessionReaper is alarmingly simple and relies on shared or public computer access. Here’s how a malicious actor could exploit it:
- The Victim Logs Out: A legitimate customer uses a public computer to log into your store, adds items to their cart, and then logs out.
- The Attacker Acts Quickly: An attacker, who was observing the computer, immediately uses the same browser to log into a low-privilege account they created on your store.
- The Flaw is Triggered: Due to the race condition, the platform fails to properly clear the previous user’s session data before initiating the attacker’s new session.
- Session Data is Merged: Critical information from the victim’s session, such as their full name, address, phone number, and items in their cart, is merged into the attacker’s active session.
- Account Takeover: The attacker now has access to the victim’s private information and can potentially manipulate their cart or proceed with checkout, leading to a full account takeover.
The Impact on Your Business and Customers
The consequences of the SessionReaper vulnerability are severe and can cause significant damage to both your customers and your brand’s reputation.
- Sensitive Data Exposure: Attackers can gain access to Personally Identifiable Information (PII), including names, physical addresses, email addresses, and phone numbers.
- Unauthorized Transactions: With access to a hijacked session, attackers could potentially complete purchases or manipulate orders.
- Loss of Customer Trust: A data breach erodes customer confidence, which can be incredibly difficult and costly to rebuild.
- Financial and Legal Consequences: Your business could face fines, legal action, and significant financial loss resulting from fraudulent activities and security remediation.
Is Your Store Affected?
This vulnerability impacts a wide range of recent versions of both Adobe Commerce and Magento Open Source. You are at risk if you are running any of the following versions:
- Adobe Commerce: 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.
- Magento Open Source: 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.
Adobe has also noted that versions 2.4.7, 2.4.6, 2.4.5, and 2.4.4 are affected. Essentially, if you have not applied the most recent security patches, your store is likely vulnerable.
Urgent Action Required: How to Secure Your Store
The single most important step you must take is to apply the latest security patches released by Adobe immediately. Waiting to patch leaves your store exposed to active exploitation.
- Backup Your Store: Before applying any updates, create a complete backup of your store’s files and database.
- Install the Security Patches: Navigate to the Adobe Security Bulletin and find the appropriate patch for your specific version of Adobe Commerce or Magento Open Source. Follow the installation instructions carefully.
- Verify the Patch: After installation, thoroughly test your site’s functionality, including user login, logout, and the checkout process, to ensure the patch was applied correctly and hasn’t caused any issues.
Beyond the Patch: Proactive E-commerce Security
While patching is the immediate priority, you can further harden your store’s defenses with these security best practices:
- Implement Multi-Factor Authentication (MFA): MFA adds a critical layer of security that makes it much more difficult for attackers to take over accounts, even if they manage to steal credentials.
- Conduct Regular Security Audits: Proactively scan your store for vulnerabilities, outdated components, and misconfigurations.
- Deploy a Web Application Firewall (WAF): A WAF can help detect and block malicious traffic patterns and known attack vectors before they reach your application.
- Educate Users: While not a technical fix, reminding customers about the risks of using shared or public computers for online shopping can help mitigate this specific attack scenario.
The SessionReaper vulnerability is a serious threat that should not be underestimated. By taking swift and decisive action to patch your systems, you can protect your business, your customers, and your reputation from a potentially devastating attack.
Source: https://securityaffairs.com/182075/security/critical-flaw-sessionreaper-in-commerce-and-magento-platforms-lets-attackers-hijack-customer-accounts.html
