Backdoor found in popular ecommerce components

Summary

Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.VendorPackageTigrenAjaxsuiteTigrenAjaxcartTigrenAjaxloginTigrenAjaxcompareTigrenAjaxwishlistTigrenMultiCODMeetanshiImageCleanMeetanshiCookieNoticeMeetanshiFlatshippingMeetanshiFacebookChatMeetanshiCurrencySwitcherMeetanshiDeferJSMeetanshiOutofstockNotifierMGSLookbookMGSStoreLocatorMGSBrandMGSGDPRMGSPortfolioMGSPopupMGSDeliveryTimeMGSProductTabsMGSBlogWe established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.Check your store nowIf you use software from these vendors, you should check your store now. The backdoor consists of a fake license check in a file called License.php or LicenseApi.php.The evil is in the adminLoadLicense function, which executes $licenseFile as PHP.protected function adminLoadLicense($licenseFile) { $data = include_once($licenseFile); } The $licenseFile can be controlled by the attacker using the adminUploadLicense function. In versions from 2019 this does not require any authentication. In later versions this requires a secret key that must match the hardcoded checksum and salt:class License { const SECURE_KEY = '83ba291cd9201e9a28173741bac82745'; const SIGN_KEY = 'afa3a778bd34181c44f2dfe1de8aff05'; The fake license check is explicitly activated via reg...