Magento Security Scan Tool authentication bypass vulnerability

Vulnerability:
Magento released “Magento Security Tool” in October, where merchants can verify their website on magento.com and run the tool to audit their website. Attacker can verify any website by passing the verification code in the search URL. Note that every Magento site comes with in-built search module, so attacker can verify and access security scans/audits of ANY magento website using below POC.

Proof Of Concept
• Login to Magento.com
• Go to https://account.magento.com/scanner/
• Click on ADD SITE button
• In that page, you will have 2 input fields (Site URL, Site Name) and pre-filled Confirmation code
• In the Site URL enter below payload, where “q” param value is the confirm code available in that page: https://www.anymagentosite.com/catalogsearch/result/?q=3e43bc8d251021b8f42bc7d0b67fb487
• Click on Verify Confirmation Code button, response will be: your site is verified!

Issue was reported to Magento and they have fixed this.

Posted in Authentication Bypass