If you are following Magento in the news, it should not come as a surprise. If this is new to you, you should take action, right after reading this post. Some security issues have been discovered in Magento, and this requires security patches to be installed ASAP. Let's see what this is all about. And let's see what you should do to secure your Magento.
SUPEE-5344 and SUPEE-1533
Last year a vulnerability was found and labeled SUPEE-1533. In January, another more dangerous exploit was found and labeled SUPEE-5344. But despite for security patches being available to close the holes, many websites are still vulnerable and unpatched. Somehow, the severity of the situation is not getting across to some Magento developers and Magento shop-owners, while already many Magento shops are being hacked because of these vulnerabilities. Many developers in the Magento community have already blogged about how serious this security issue is. With this blog, we hope to make that wake-up call even louder: Patch now!
One of the announcements made by Magento can be found here: http://magento.com/security-patch
The Byte Shoplift tester can be found here: https://shoplift.byte.nl/
What happens when your shop is hacked?
This sounds like a silly question, but to get into details anyway: If your shop gets hacked using one of the vulnerabities mentioned in this blog, many things can happen. And you will not like any of them. In a proof of concept, the SUPEE-5344 vulnerability was used to give extra discount on some products. That example simply showed the danger of the exploit, but not how the exploit was actually being used in the wild.
So far, reports have come in of various modifications made by hackers:
- New admin users in the Magento backend
- Strange orders with no charges
- Modified core files
- Uploaded a new Magento module to modify files easily
- Upload PHP backdoors
Still more is possible: Often, a hack on the application level is used to try outs other hacks on the server level, with the ultimate goal to gain root access to the server.
What to do?
What to do? Well, patch. If you think you don't need to patch, double-check. If you think your site is already safe enough because of some firewall, patch it anyway. If you have installed Magento 184.108.40.206, thinking the latest version will give you all the security you need, upgrade to 220.127.116.11 immediately.
In May 1st 2015, Magento 18.104.22.168 was released. If you can upgrade to this version, it is the easiest way to secure your shop again. Don't wait - otherwise you might be left with a hacked shop. In some cases, upgrading to Magento 1.9 is not an option yet. In those cases, the manual patch procedure is still required. If you need a helping hand to apply the patches, or fix your hacked shop, we are happy to help out. Drop us a mail and we'll see what we can do.