Security Threat Banner

High Risk security hole leaves vulnerability in Magento CE

Security consultancy DefenseCode published an advisory about a high-risk vulnerability in Magento CE. The threat was identified in November but has not been patched by Magento.

Specifically, this security risk impacts all Magento CE versions of 2.1.6 and below and using preview images in Vimeo videos.

In plain English, a hacker can point the preview image URL links from Vimeo to a different file. Magento tries to validate the preview image file as authentic and rejects the fake file.

But, Magento leaves a rejected file on the server. This rejected file is accessible by hackers to run malicious code on the server.

The security vulnerability allows for remote code execution and a full system compromise. Attacked systems will have their customer and payment database exposed to hackers.

The initial attack work with virtually all Magento backend user levels. It does not have to be an administrator.

While having the Magento session open and clicking on an email link or visiting a website crafted to abuse the vulnerability, a Magento user can unwillingly open up the server to the hack.

Please see the nerdy but very important explanation by DefenseCode here or click on the source link below.


DefenseCode urges Magento users to enforce the use of “Add Secret Key to URLs” which mitigates the CSFR attack vector. To prevent remote code execution the Magento server configuration should disallow .htaccess files in affected directories.

DefenseCode claims they made several efforts to notify Magento of this security problem. But since November 2016, Magento has released 4 updates, none addressing this vulnerability.


DefenseCode did not identify any. And this seems to be another example of problems plaguing the Magento 2 platform.

While Magento doubled down last week with news about Magento 2’s future. The fact is that Magento 1.9.x.x is still a better platform for most online retailers.

At the time of this writing, it is not known if any hacks have been successful in existing Magento installations. While the steps are numerous, the fact that the hack can take over the entire server is troubling.

DefenseCode hopes by going public with this information, Magento will address the problem before widespread attacks occur.

UPDATE: APRIL 14, 2017

Magento sent out the following email today to respond to this security risk.

…In addition, this vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your
2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
3. Select YES from the dropdown options
4. Click on Save Config

Connect With Us And Other Small Business Owners

Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.

Follow us on FacebookTwitter, and LinkedIn to stay up to date with relevant news and business insights for your online business.

Subscribe to Our Newsletter

Business Insights for Your Online Business Presented with a Dash of Humor

We do not share your information and you can unsubscribe anytime.

Leave a Reply

Your email address will not be published.