Don’t Get Shocked By a Rogue Plugin

Don't Get Shocked By a Rogue PluginIn some bad news recently for Magento, several plugins were found in the Magento Connect store that contained security vulnerabilities. The worst of these was a rogue plugin that installed a PHP remote shell that allowed hackers the ability to log into the Magento back-end and extract credit card information from a merchants customer data.

Before getting completely alarmed about this, let’s talk about this why this happened. First, to put any rumors to rest, Magento is a safe platform. There are over 240,000 eCommerce sites implemented on Magento and it’s a proven, secure platform. Disclaimer: The company I work for is a Magento partner and has built many custom Magento sites for very large customers (which is how I know it’s safe).

In each of the cases where a security vulnerability was created by a plug-in, what wasn’t safe is what was added to the code base. Unchecked. Whenever a piece of code is introduced to a system, whether it’s modular or not, there exists the capacity for ill behavior. Frankly, it’s much more likely that a member of a merchant’s technology staff would make off with credit card data than through any other means. This is why there are code reviews, security scans, penetration tests, firewalls, intrusion detection systems, and the like.

Using unknown plugins is like hiring a new developer without an interview process, and letting them commit code without review and promote that code to production without proper testing…

Assuming an external piece of code is OK simply because it is built for a given platform would be the same as hiring a new developer without an interview process, letting them commit code without review and promoting that code to production without proper testing. Sounds ridiculous, right?  But it happens every day when people assume plug-ins are safe by their very nature.

If you’ve read the news lately, you know there security breaches almost every day. Some get all the news attention while others go relatively unnoticed. Rogue applications and plug-ins exist all over the place on app stores, on web sites, pretty much anywhere unchecked community code can be downloaded. And the vast majority of it can be used without security worries. I sat down with Optaros’ Chief Architect and fellow coworker, Olivier Pepin, to discuss this and here are the steps we recommend taking whenever taking advantage of a third-party plugin:


Look at numerous plugins that accomplish what you need, if possible. Read reviews and, if you can, contact people who current use the plug in and ask them about their experience. Check out the number of revisions and whether the plugin is current with the version of the eCommerce platform for which it is needed. Lack of users, lack of support, and lack of current code are all reasons to consider looking for other options.


Once a plug-in has been chosen, take a look at the code. If you see things that don’t seem right — things that you wouldn’t put in a plug-in for example, then you may want to investigate further. If you don’t know what you’d put in a plug-in, you’re the wrong person to be investigating. If you see something suspect like:

eval<!--DVFMTSC--> (gzinflate(base64_decode('nVRRb9owEH4Gif9wQ1EdTyih1SQeWIGqZBKaaLYQ9kJRZCU2tYDYcxxpHdp/r51BSEX7sD1Yiu6+7+67704Zjz6P5ZPstDkDF3hRUO06ybdwEWO4ujKBhChFnpuxVJT5'GTSCPmA4dNoAzk5skowruAU... 

then probably best to stay away. The above example is an excerpt of malicious code installed through a PHP remote shell that was part of a plugin. Very creative, very unclear, and for a very good reason. Also, consider running a scanner the check out the source code. There are several free scanners available that can save you lots of headache later. Avoid any plug-in containing encrypted/encoded code, especially if the code is not coming form a trusted extension provided.


If you decide to use a plug-in where the source code is encrypted or obfuscated, have a reputable company scan the code after installing it on the platform in a VM. An automated scanner may be of some use, but spending a few bucks on a penetration test to properly test out a broad variety of exploits will be way cheaper than exposing your customers to potential fraud. Some companies offer both an automated scan and pen testing and it can be useful to hire a company that can do either, as needed. Treat community extensions as a extension of your development team, run the code throughout your regular code review and QA process – and also ask yourself if your team can support the extension.


Using plug-ins is a great way to extend a platform’s functionality and there are many helpful Magento extensions available. Take advantage of these where they are useful and make sure to Research, Investigate, and Test each plugin to validate it is safe and secure. Trying to get away with less may enable hackers to get away with more.


Add Comment