As much as I hate to be the bearer of bad news on a Monday, there’s a vulnerability in all versions of ecommerce software/platform Magento currently causing some concern in the online community. It’s critical, so if you use Magento it’s important that you take steps ASAP to make sure you’re protected!
The Magento team released a critical security patch (SUPEE-5344) for a vulnerability back in Feb; however, it was kept pretty quiet until last week, so now there’s a fair few people trying to patch it, and – more worryingly – trying to exploit it.
The vulnerability is going by the name of ‘ShopLift’ and has already been exploited in the wild in a bunch of not-fun ways; remote code execution is one of the most common examples, which is when an attacker weasels their way into your system and can take full control of the shop. As you can imagine, that’s not going to be good for business.
One of the reasons the vulnerability is particularly worrying is because Magento deals with customer card details and personal info, compromising not only your data, but your customers’ too. This can add hefty fines and loss of reputation to any damage they might do to your own system.
The problem is, if you went to Magento today and downloaded a new version, it would still be vulnerable to ShopLift. They’ve been shipping known-vulnerable versions of code for over two months and expecting people to immediately apply patches, which clearly hasn’t been happening; as of last Friday, there were 87,930 Magento shops still unpatched.
However, there are ways of protecting yourself if you haven’t done so already, but it’s important to make this a priority. First up, you can ensure that you have applied the patch.
To apply the patch you need to log in to your Magento account and run the correct version patch for your site against every Magento website you have, which might take a while if you have several Magento websites; however, it’s important that you proactively protect yourself in this instance.
Another option is to run this script which will search out all the Magento sites on a server, identifying the version of each site, and then download the correct patch and then apply it, which makes things much simpler!
Either way, it’s vital that you protect yourself if you haven’t already done so – don’t make this Monday any worse than it has to be!
For more information on our security solutions take a look at our website or give us a call on 0208 045 4945.