Shoplift bug is still a danger due to unpatched stores

Sep 18, 2015 22:28 GMT  ·  By

In last April, Check Point security researchers identified a critical vulnerability in Magento, an online e-commerce platform used by most companies to host their online stores.

The vulnerability, dubbed Shoplift, was quickly patched, and eBay, the company that acquired Magento a few years back, has dedicated more time to improving the platform's security by issuing a set of patches in the past months.

Three days after the initial Shoplift patch was released, Byte, a Dutch hosting company that, through other things, provides Magento support, tracked how many websites had applied the initial Shoplift security update.

At that time, 75,353 websites were still left unprotected, while only 8,336 sites adopted the fix.

In the meantime, Byte has expanded its database of Magento shops, and despite the fact that almost five months have passed since Shoplift was uncovered, 80% of Magento sites are still unpatched.

80% of all Magento stores are still in danger

Currently tracking 216,934 websites, this means that a whopping number of 173,547 Magento shops are still mind-bogglingly unpatched.

Most of the unpatched stores are running the free Magento Community Edition, which makes sense since the Enterprise Edition is quite pricey, and usually people who can pay for its license are also able to hire technical staff to take care of the patching process.

Why is this important? Mainly because Magento's patching process is still carried out via a console, something you wouldn't expect in such a high-end product, making it extremely difficult or nearly impossible to carry out by users with less technical skills.

To check and see if your site is vulnerable in any way to the plethora of Magento bugs discovered in recent months, Byte has revamped its previous Shoplift detection dashboard to check for more security problems.

Additionally, they've also created an infographic to help webmasters understand the importance of patching their shop right away.

The state of security for Magento shops
The state of security for Magento shops

The Magento team has been kind enough to provide an official statement regarding Magento's current security state:

"Magento is committed to ensuring the security and integrity of our software. We want to empower retailers, brands and branded manufacturers to maintain the kind of fine-grained control they expect from Magento, even when it comes to their security implementations.

Patch updating is a nuanced process, particularly with the high-level of customization that merchants implement in order to create uniquely branded customer experiences with Magento. While the unique flexibility of our platform prohibits us from enabling auto-patching, we always work to inform affected merchants and equip them to apply patches as quickly as possible.

To this end, merchants are alerted to the criticality of an update through the vulnerability severity rating associated with each patch and included in the issue description on the Security Center. There is also a great resource developed by the broad Magento ecosystem detailing which version requires which patch. Another great community resource is magereport.com which lets clients run tests on their website and gives an instant overview of which patches have not been applied or where there is uncertainty.

We are working to further simplify the download process for all versions by making patches more easily available for automated downloads."

Ted Pietrzak, Senior Director, Product Development, Magento

Photo Gallery (2 Images)

The new MageReport dashboard
The state of security for Magento shops
Open gallery