According to Securatary, this vulnerability allows for a cross store (unauthenticated, as we have not authenticated to our target store) privilege escalation attack, that will create a user on any * store. There are over 200 000 active Magento Go stores. So this attack allows access to 200 000 customers data. This attack gives us administrative account on each of these stores with a single GET request.

You can take advantage of this vulnerability and use the administrative account to change prices of the products in order to buy for free any product that you want. And this will be just a “software error”. But don’t forget that Magento stores in it’s database all the logs regarding admin and user activity.

Now that you’re thinking to act fast, to hack a website, I’ll give you some bad news. This vulnerability was reported to the eBay Enterprise Bug Bounty team on Sunday 9th February 2014. The Magento engineering team fixed this issue very quickly. So the vulnerability don’t exists anymore.

You can see here all the hacking process.