The ‘Shoplift’ bug could lift your entire online shop

  • News
  • April 29, 2015
  • Sarah Dunn
The ‘Shoplift’ bug could lift your entire online shop

Those with websites based on eBay’s popular Magento platform may be vulnerable to the remote code execution bug, which allows attackers to bypass all security mechanisms to gain full control of online stores and their databases.

These users can access anything the store’s real admin can, including customer details. Security research firm Check Point Software Technologies released the below video demonstrating how Shoplift, also known as ‘SUPEE-5344,’ works.

Check Point privately disclosed the vulnerability to eBay together with a list of suggested fixes before making it public. A software patch to fix it was released in February – this is the link Check Point provided.

“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point. “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30 percent of the ecommerce market.”

Magento is a popular e-commerce platform for retailers in New Zealand. The New Zealand Herald’s Juha Saarinen reports that a list has been compiled of vulnerable New Zealand sites with the help of Dutch Magento hoster Willem de Groot. It has not been made public, but Saarinen says at least 559 sites are on it, including “some familiar business names.” You can check if your site is vulnerable here.

Auckland web design and development company Media Core specialise in Magento, basing most of their work on it. Media Core sales and project manager Ben Davis said this morning that Media Core had installed the relevant security patch last week and all of its websites are now protected.

He says retailers with e-commerce stores based on Magento will not be protected if they have not installed the patch.

Retailers should not overreact, says Davis, who reports that this is the first major issue he has seen from Magento.

A week ago, Check Point said it had not witnessed any attempted exploitation of the Shoplift vulnerability “in the wild” but another tech blog, Sucuri, has since reported attacks by a group based in Russia.

“Most vulnerabilities are not all that different to each other,” Davis says. “They end up causing the same result, which is that someone can get into the back end of your site and cause havoc.”

He says retailers should make sure they keep a back-up copy of their website so that any damage done can be “rolled back”, remember to keep the platform and software up to date, and make sure their hosting is secure.

“The reason most people get hacked is due to hosting issues,” Davis says.

Comparing the risk of e-commerce security breaches to that of shoplifting in bricks-and-mortar stores, Davis says there will always be a risk, but retailers should not allow this to undermine their peace of mind.

“The reality is that if you’re doing everything you can to tick all the boxes, stay up to date and your hosting platform is secure, you really shouldn’t be too concerned.”

​ ​

This is a community discussion forum. Comment is free but please respect our rules:

  1. Don’t be abusive or use sweary type words
  2. Don’t break the law: libel, slander and defamatory comments are forbidden
  3. Don’t resort to name-calling, mean-spiritedness, or slagging off
  4. Don’t pretend to be someone else.

If we find you doing these things, your comments will be edited without recourse and you may be asked to go away and reconsider your actions.
We respect the right to free speech and anonymous comments. Don’t abuse the privilege.


Hunting & Fishing New Zealand voluntarily pulls military-style assault weapons from sale

  • News
  • March 20, 2019
  • Sarah Dunn
Hunting & Fishing New Zealand voluntarily pulls military-style assault weapons from sale

In the wake of the attack on Christchurch’s Muslim community on March 15, strong calls for changes to New Zealand’s gun last have been made. Trade Me was the first retailer to act, halting the sale of all semi-automatic weapons on its platform, and it has now been joined by Hunting & Fishing New Zealand.

Read more

Superette to open new concept store showcasing international brands

  • News
  • March 20, 2019
  • The Register team
Superette to open new concept store showcasing international brands

Apparel boutique Superette has announced it will open an ‘international flagship’ in Newmarket on April 4. The store will feature handpicked products from both established and emerging international designers.

Read more

What businesses can do to help support Christchurch and the Muslim community this week

  • Opinion
  • March 19, 2019
  • Rosie Collins
What businesses can do to help support Christchurch and the Muslim community this week

As many New Zealanders go back to work for the first time today since Friday’s attacks, feelings of anger, sadness, numbness, apprehension, and confusion will be shared around the country. Rosie Collins is the managing director of Step Changers, a registered charity working to normalise corporate social responsibility in New Zealand. In the wake of the Christchurch terror attack, she shares three ways businesses can help both their staff and the wider Muslim and Christchurch community this week.

Read more

Social scoreboard

Zavy and The Register have worked together to create a scoreboard that compares how the top 25 traditional media advertising spenders in New Zealand have performed on social media over the past 30 days, updated in real time.

Concept to closet
Business coverage of New Zealand Fashion Week.
Town centres
A positive retail environment over the past 12 ...
Amazon Arrival
Keeping up with all things Amazon as it ...
The Retail Yearbook 2017
As we battle our way through the busiest ...
Hospitality enhancing retail
Some think food and integrated hospitality offerings will ...
The future is bright
We spoke with four retailers in their twenties ...
Spotlight on signage
At first glance, the humble in-store sign might ...
Red Awards 2016
The Red Awards for retail interior design celebrate ...
Auckland Unitary Plan
Auckland is changing. The Unitary Plan will decide ...
How to open a store
Sarah Dunn considers what it would take to ...
All things to all people
Kiwi retailers share their omnichannel strategies.
Rising stars
Retail's top young achievers.
Delivering on your promises
The sale isn't over until your item is ...
Retail in heartland New Zealand
Retailers keep the regions pumping, but how strong ...
Women in retail help one another. We spoke ...
The changing face of retail
Shifting demographics are creating big changes in New ...
The retail yearbook
With the help of experts in the retail ...
Retail rogues
We put the spotlight on staff training. Jai ...
Here come the giants
Topshop has arrived in Auckland’s CBD, David Jones ...
Window shopping: A spotlight on social media
Sarah Dunn and Elly Strang look at how ...
From retail to e-tail
Ecommerce has become part of the way mainstream ...
Loyalty in the digital age
How are retailers maintaining loyalty? Sarah Dunn, Elly ...
The Innovators | In partnership with Spark Business
Technology is rapidly changing the retail industry as ...

China and New Zealand’s year of tourism

  • Opinion
  • March 19, 2019
  • Juanita Neville-Te Rito
China and New Zealand’s year of tourism

Think about how to best welcome Chinese tourists into your store this year.

Read more

Coca-Cola reveals how much plastic it uses

  • News
  • March 19, 2019
  • Radio New Zealand
Coca-Cola reveals how much plastic it uses

For the first time, Coca-Cola has revealed it used three million tonnes of plastic packaging in one year.

Read more

Profits for The Warehouse on the rise after restructure

  • News
  • March 19, 2019
  • Radio New Zealand
Profits for The Warehouse on the rise after restructure

The Warehouse has made a solid first half profit as it continues to restructure and invest in digital services.

Read more
Next page
Results for
About us.

The Register provides essential industry news and intelligence, updated daily. And the digital newsletter delivers the latest news to your inbox twice a week — for free!

©2009–2015 Tangible Media. All rights reserved.
Use of this site constitutes acceptance of our Privacy policy.

The Register

Content marketing/advertising? Email or call 022 639 3004

View Media Kit