Softpedia >News >Security
Softpedia Homepage   

Number of Vulnerable Magento Shops Decreases, Slowly

10,000 websites patched in one day, tens of thousands to go

Apr 24, 2015 17:02 GMT  ·  By
National Gallery of Australia vulnerable to Shoplift vulnerability
   National Gallery of Australia vulnerable to Shoplift vulnerability

Following the disclosure of the technical details for a critical vulnerability in Magento e-commerce platform, online stores relying on this solution have started to apply the patch, but the process is slow, thousands of websites still being susceptible to attacks.

The issue, dubbed Shoplift, was solved by the maintainers of Magento in February, but few admins hurried to secure their online shops. After two months, tens of thousands of websites can still be compromised.

Flaw is exploited in the wild, shops need to be updated

Willem de Groot, co-founder of Byte, a company that hosts websites running Magento, said on Friday that there are almost 88,000 stores that need to update their e-commerce software, which amounts to a drop of about 10,000 in the number of vulnerable websites since yesterday.

Although an uptick in the patch rate is good news, updates should be deployed faster, especially since exploits have been recorded in the wild before the vulnerability details became public.

Check Point discovered the vulnerability in January and disclosed it privately to Magento. On Wednesday, the security company published an analysis of the glitch that permits remote code execution, including details that would allow an attacker to create an exploit and take advantage of the flaw.

Sites managed by governments are exposed

The risk is high because successful attacks can lead to complete compromise of the store, which means that customer data and financial information can be exfiltrated. Alternatively, attackers can create an admin account for themselves and use when least expected.

As presented by Check Point in a video demonstrating the weakness, another danger is that threat actors can make purchases without paying a dime.

According to de Groot, websites under the administration of governments in different countries are also running a vulnerable version of Magento. Brasil, Australia, and Ghana were among the examples he provided on Wednesday, which are still unpatched.

The Magento patch is available for download (SUPEE-5344), but applying it is not the easiest task, which may also contribute to the slow update rate. For the purpose of making things faster, Byte has created a wiki page with installation instructions.