by | 14 Jun 2016

Shoplift: the Magento nightmare is back

The Magento team has released a patch for a critical security breach (SUPEE-5344) that allows for remote shell the root account (RCE – Remote Command Execution). One year after, it appears that more than 50% of Magento eCommerce retailers have yet to patch their store or upgrade to a version of Magento without the vulnerability. Find out in this article how critical is this breach, without forgetting an innovative method to vaccinate your eCommerce site against future vulnerabilities.

The Shoplift vulnerability is more dangerous than never for eCommerce sites

The Shoplift breach is also known under the name SUPEE-5344 and is a critical vulnerability that allows an attacker to execute any command on a server and take full remote control of an online store. Obtaining rights on the server allows attackers to perform malicious acts.

These websites are used to sell goods online, and in the process they capture personal identifiable information including credit card details. The impact of Magento websites getting compromised can be a real nightmare for every online buyer that uses, or has used a website built on the platform.

This vulnerability can be easily exploited, just take a look at this video:

Hackers use fake patch to compromise your Magento site

Attackers are still trying to find Magento installations that have not patched a particularly bad vulnerability, this time trying to trick people into downloading a fake patch. The vulnerable Magento versions are CE prior to and EE prior to

Retailers with these Magento versions should immediately ensure that their store is patched and runs on an up-to-date version of Magento. If a store is unpatched, store owners should check all administrative users to ensure that they are genuine, and all administration passwords should be changed.

How to protect your eCommerce sites against vulnerabilities for goods?

Installing patches and updating its Magento website is no longer sufficient to protect its eCommerce site. Very often, you have no time to act, the damage has already been done. Even if the patch was applied on time (assuming you have not installed a fake patch as quoted precedently), new vulnerabilities are being identified every day.

Be up to date on the latest vulnerabilities and applying patches may help to keep your eCommerce site secure. However, it takes time. Time that could be spent on growing your business turnover and satisfying your customers.

It is in this perspective that OZON has released a cybersecurity solution dedicated to eCommerce, in order to identify last vulnerabilities and easily apply patches whatever the cause of the vulnerability. Thanks to its innovative technology of virtual patching, you website is always secure with OZON. Even if your website is no longer up to date. You do not believe me? Try it by yourself for free!