This February was the first anniversary of the discovery and patching of the Shoplift Magento vulnerability. In spite of a patch being made available immediately after the vulnerability was discovered, it appears that a significant number of Magento eCommerce retailers have yet to patch their store or upgrade to a version of Magento without the vulnerability. Stores that are not yet patched are at significant risk of compromise.
Shoplift is a serious remote code execution vulnerability caused by a coding error that allows an attacker to inject SQL into a store’s database. It can — and has been — used to add new admin users to Magento stores. At that point, the attacker has complete control over the store and its data.
Versions of Magento Community Edition prior to 184.108.40.206, and Magento Enterprise Edition prior to 220.127.116.11 are vulnerable. If you’re unsure whether your store is vulnerable, you can use this test from Magento’s developers. If your store is not patched, you should immediately install the relevant patch or upgrade to a non-vulnerable version.
Some readers might be thinking that this is all old news, and in an ideal world it would be, but there’s evidence that a substantial proportion of the tens of thousands of Magento eCommerce stores in existence have yet to be patched.
In an unusual wrinkle, the code used to harvest payment details disguised itself as the SUPEE-5344 patch — the patch that was released after Shoplift was discovered and which removes the vulnerability.
There is really no excuse for a store to remain vulnerable to Shoplift more than a year after the patch was released and the vulnerability was widely publicized. Retailers who neglected to patch their store are putting shoppers at serious risk of having credit card data stolen. Clearly, stores that have been compromised are no longer PCI compliant.
Retailers with Magento stores should immediately ensure that their store is patched and runs on an up-to-date version of Magento. If a store is unpatched, store owners should check all administrative users to ensure that they are genuine, and all administration passwords should be changed.