14 DAY TRIAL // Administrators of online stores powered by e-commerce solution Magento seem to be oblivious to the risk posed by failing to apply the latest patch for the software, as more than 75,000 websites are currently at risk of being completely owned by hackers.
The fix (SUPEE-5344) has been available since February, and media covered the subject extensively, drawing attention to the fact that the technical details of the flaw had been made public and creating an exploit was not a difficult task.
About 8,000 websites patched over the weekend
In fact, the vulnerability (dubbed Shoplift), credited to security researchers at Check Point, has started to be leveraged by hackers before the analysis became available online.
A company in the Netherlands called Byte, which hosts Magento websites, is currently actively tracking the number of unpatched stores and has observed that the fix is applied at a very slow pace.
Data from the company shows that only 8,336 sites adopted the fix between Saturday and Monday, 75,353 still being susceptible to attacks.
In a tweet on Saturday, Byte co-founder Willem de Groot noted that admins in Denmark were the quickest to protect themselves; however, the percentage of unpatched stores in this country was 45%.
Ukraine, Romania and China are top draggers
According to a live map provided by the company, 62% of the Magento-powered shops in the US need to add SUPEE-5344, while in Canada the percentage is higher, at 68%.
Admins in Ukraine, Romania and China showed the highest level of disregard to the danger posed by Shoplift, as the number of vulnerable stores in these countries is 89%, 88% and 86%, respectively.
Check Point showed in a video one way hackers could take advantage of the flaw, by adding a fraudulent 100% discount coupon and “purchasing” a $100,000 / €92,000 watch from a website they created.
However, the consequences can be of a different nature, as an attacker can take over the site and steal information about customers and financial data they submit with their orders.
Since installing the Magento patch is not a straightforward task, Byte has published useful instructions on how it can be applied.
Denmark is fastest fixer of Magento security bug. OTOH, Ukraine is not a good place to be, shopping wise ;) https://t.co/Kge1L1OcY0
— Willem (@gwillem) April 25, 2015
