Those with websites based on eBay’s popular Magento platform may be vulnerable to the remote code execution bug, which allows attackers to bypass all security mechanisms to gain full control of online stores and their databases.
These users can access anything the store’s real admin can, including customer details. Security research firm Check Point Software Technologies released the below video demonstrating how Shoplift, also known as ‘SUPEE-5344,’ works.
Check Point privately disclosed the vulnerability to eBay together with a list of suggested fixes before making it public. A software patch to fix it was released in February – this is the link Check Point provided.
“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point. “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30 percent of the ecommerce market.”
Magento is a popular e-commerce platform for retailers in New Zealand. The New Zealand Herald’s Juha Saarinen reports that a list has been compiled of vulnerable New Zealand sites with the help of Dutch Magento hoster Willem de Groot. It has not been made public, but Saarinen says at least 559 sites are on it, including “some familiar business names.” You can check if your site is vulnerable here.
Auckland web design and development company Media Core specialise in Magento, basing most of their work on it. Media Core sales and project manager Ben Davis said this morning that Media Core had installed the relevant security patch last week and all of its websites are now protected.
He says retailers with e-commerce stores based on Magento will not be protected if they have not installed the patch.
Retailers should not overreact, says Davis, who reports that this is the first major issue he has seen from Magento.
A week ago, Check Point said it had not witnessed any attempted exploitation of the Shoplift vulnerability “in the wild” but another tech blog, Sucuri, has since reported attacks by a group based in Russia.
“Most vulnerabilities are not all that different to each other,” Davis says. “They end up causing the same result, which is that someone can get into the back end of your site and cause havoc.”
He says retailers should make sure they keep a back-up copy of their website so that any damage done can be “rolled back”, remember to keep the platform and software up to date, and make sure their hosting is secure.
“The reason most people get hacked is due to hosting issues,” Davis says.
Comparing the risk of e-commerce security breaches to that of shoplifting in bricks-and-mortar stores, Davis says there will always be a risk, but retailers should not allow this to undermine their peace of mind.
“The reality is that if you’re doing everything you can to tick all the boxes, stay up to date and your hosting platform is secure, you really shouldn’t be too concerned.”