Critical Security Update for Adobe Commerce (Magento) Users

The following information is provided compliments of our Partner Source Defense.

Recent Security Threats Detected

In the past few days, several client-side attacks targeting sites using Adobe Commerce have been observed. These attacks, originating from third parties on the page, have exploited a critical vulnerability known as CosmicSting (CVE-2024-34102). This vulnerability allows unauthorized access to private files, including those containing sensitive information like passwords. When combined with the recent iconv bug in Linux, it poses a risk of remote code execution.

Adobe’s Critical Security Fix

In response to these threats, Adobe has released a critical security fix to address the CosmicSting vulnerability. We strongly urge all Adobe Commerce users to apply this fix immediately to protect their sites from potential exploitation. The details and download for this fix are available on Adobe’s website.

Response and Your Protection

We have identified sites that were affected by these attacks. Thanks to our advanced security measures, our partner (Source Defense) was able to protect our customers from the client-side attacks originating from third parties on their pages. Specifically, we prevented the skimmer from accessing credit card details and alerted our customers about the domain to which the script attempted to send the data. This domain was subsequently added to our blacklist.

One customers’ security engineers remarked, “The data provided by Source Defense is crucial to our understanding of the attack, offering insights that we couldn’t obtain from any other source.”

Impact on Major Companies

This attack did not discriminate by the size or industry of the target. We found evidence of the same vulnerability being exploited in massive companies, including a $180 billion medical manufacturer and a global manufacturer worth $1.4 billion. The widespread nature of this attack highlights the importance of prompt action to secure your site.

Understanding the Attack Vector

The recent attacks allowed hackers to inject code into the HTML without accessing the database directly. This was achieved either by calling a script from a remote server or by embedding the script as a first-party element that sent data to a malicious domain. The following image shows an example of how the attackers added their script to the page and a screenshot of the obfuscated code used:

Protect Your Site

The recent attacks underscore the need for robust security measures to protect your e-commerce platform. It’s important to note that Content Security Policy (CSP) would not have prevented these attacks, as they originated from trusted domains.

Act Now to Ensure Compliance and Security

As the March 2025 deadline for PCI DSS 4.0 compliance approaches, it’s crucial for organizations handling online payments to inventory, justify, and control all code in the online checkout process. Waiting to implement these measures can result in compliance bottlenecks and increased vulnerability to attacks. Source Defense solutions are essential for meeting these requirements and avoiding compliance violations.

The cybersecurity landscape is constantly evolving, and staying informed about the latest threats and fixes is crucial. By applying Adobe’s security fix and utilizing Datatel’s/Source Defense’s protection, you can ensure that your site remains secure and resilient against potential attacks.

Our solutions not only protect against eSkimming attacks but also ensure compliance with PCI DSS 4.0 requirements 6.4.3 and 11.6.1, making them indispensable as the compliance deadline approaches. Don’t wait—take action now to safeguard your e-commerce platform and ensure compliance.

Contact Us!

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance