Magento Shoplift Vulnerabilty

Magento Shoplift Vulnerability

Magento [1] is a popular web e-commerce platform. In February 2015 Magento released an update SUPEE-5344 [2] that fixed a critical security vulnerability [3]. This vulnerability allows remote attackers to insert a Magento web administrator in the database and execute random code.

According to Byte.NL [4] there are still a high number of Magento webshops that have not yet been patched. There is attack code available [5] that is currently being used by attackers to exploit the vulnerability.

Impact

The vulnerability can be abused by anyone on the internet. The attacker does not need to have an account in your Magento web shop. The attacker becomes the administrator of your e-commerce platform and can read and change the stored personal customer data, including potentially stored credit card data. Basically, the attacker can do whatever he wants with your e-commerce platform.

This can result in a privacy breach (disclosure of personal user data) and financial fraud. It can also make your e-commerce platform unavailable.

Because of the availability of the attack code, if you have not yet patched then your site is likely to become compromised soon.

Solution

Users of the Magento web e-commerce platform are urged to immediately apply the update [2] that is available from Magento. There are update instructions available in English [6] and Dutch [7].

Additional information

You can verify online if your site is still vulnerable via the Byte.NL check [8] : https://shoplift.byte.nl/
Note : the information from Byte.NL is reliable but we have no insight what is actually checked.

You should contact your hoster for any configuration questions or help.
You can contact CERT.be [9] via cert [at] cert [dot] be for additional questions.
CERT.be has a web server security best practice guide [10] that applies to all websites, not necessary limited to e-commerce platforms.

[1] http://magento.com/
[2] https://www.magentocommerce.com/products/downloads/magento/
[3] http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
[4] https://www.byte.nl/blog/exploit-voor-zeer-serieus-magento-lek-supee-5344/
[5] https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-...
[6] https://www.byte.nl/wiki/How_to_apply_Magento_patch_SUPEE-5344?_ga=1.215...
[7] https://www.byte.nl/wiki/Magento_lek_SUPEE-5344?_ga=1.215752094.84997875...
[8] https://shoplift.byte.nl/
[9] https://www.cert.be
[10] https://www.cert.be/docs/web-server-security-best-practices