Magento eCommerce Shoplift Patch Alert
Security firms are warning that attackers are increasingly exploiting a flaw patched in Magento’s e-commerce platform back in February. If you are using Magento’s e-commerce platform you should ensure you are using its latest software as the vulnerability, known as the Magento Shoplift, can allow an attacker to gain complete control over a store with administrator access, potentially allowing credit card theft.
Security researchers at Check Point Technologies which found the flaw, reported it to Magento, which issued a patch (SUPEE-5344) on Feb. 9. Since Check Point revealed the flaw earlier this week, it appears attackers have picked up on it and are trying to find unpatched applications.
You can see if your Magento store is patched by entering your URL into a tool created by Magento. However, patching a store that’s already been exploited could mean that it’s still at risk.
For your convenience we have included a visual demonstration of one way the vulnerability can be exploited, which was created and posted by Check Point.
For more detailed information visit the Check Point blog post: Analyzing the Magento Vulnerability which covers in detail:
- What kind of attack is it?
- How did Check Point discover this vulnerability?
- How can I protect against the vulnerability?
- Vulnerable Versions
- Technical Description
If you have a Magento eCommerce store feel free to contact our Magento eCommerce experts here for further advice and next steps.