Thousands of Australian eCommerce Stores Still at Risk

Word count: 690 Reading Level: College Student Reading time: 2.51 Mins

Protecting your Magento eCommerce store or any eCommerce store is absolutely critical, yet it's something entrepreneurs don't pay much attention to. They might feel because it is the most popular eCommerce platform in the world and was owned by eBay, they don't have anything to worry about and security will look after itself.

Sadly, this is not the case and right now you could be open to many potential threats. One such issue Mebsites.com is witnessing right now is a cross-site scripting (XSS) problem caused by vulnerabilities in the Magento ecosystem, which is still putting a huge number of store owners at risk of hijacking, Malware take overs, man in the middle and defacing attempts.

Can you imagine the damage someone could do if they found their way into the backend of your store taking complete control of your business?

Why are security vulnerabilities so Dangerous To Your Magento eCommerce Store

Think about all the damage you could do to your own online store if you had access to everything. Someone else taking over your store wouldn't hurt you if they did nothing, but these attackers are known to use the stored XSS flaws to:

  • Manipulate your user privileges (effectively locking you out)
  • Steal sensitive customer data to on sell
  • Sniffing to steal and use credit card information
  • Setting up fake gateways or changing your gateway to the hackers
  • Causing almost irreparable damage to your store
  • Installing ransomware
  • Defacing your store and damaging your brand
  • Losing you thousands of sales (and destroying the trust you've built up)
  • Taking you offline

    You could be vulnerable to the stored XSS flaws if you currently use almost any version of Magento Community Edition 1.9.2.2, plus those using 1.14.2.2 versions and earlier of the Enterprise Edition are at risk too.

    At this time you're lucky, because a patch has been made available to the public. Once security firm Sucuri informed Magento of the vulnerabilities they were quick to come up with an immediate solution, in the form of a patch. These patches need to be installed via SSH along with Magento core updates and any extensions in use.

    The Ease In Which You Can Be Exploited

    You'll probably not believe how easy it is for someone to destroy your eCommerce store, but all they would need to do is replace a real email address with malicious JavaScript in your forms.

    After Magento had runs and executes the JavaScript, your server running Magento would be at the mercy of an attacker. It's fair to say XSS bugs aren't too hard to exploit to a hackers advantage.

    Sucuri have already come out themselves and talked about how any attacker could use an exploit to become an administrator with little, to no effort at all. They are also saying anyone without an administration panel which hasn't been heavily modified or sitting behind a WAF can not sit back and assume attackers will not target them because they are a small store. Being attacked is not about being big or small it is about being vulnerable and online only. Hackers will find you via automated bots (scripts) looking for those vulnerabilities. Some weak eCommerce stores, such as Wordpress Woocommerce can even be found with a simple google search. Consequently it is just a matter of time before you are targeted.

    Use The Patch Before It's Too Late

    You now know the risks involved, so patch up your Magento software before someone targets your store. If you don't know how to secure your website Mebsites.com will be happy to help you.

    We'll also be able to modify your administrative panel to make sure problems like these don't affect you in the future and create a backup plan. It's nice to know you're in safe hands, and when working with an Australian developer like us, Magento eCommerce store owners will always be able to reach someone immediately, via; phone, email, ticket system or chat 24/7.

    Magento has grown so much and with around a third of the market share in eCommerce stores worldwide, it's unfortunately a huge target for malicious attacks so beware.

    Bibliography:

    Piotr Kaminski, Magento. (2016, February 23). SUPEE-7405 [Website Page]. Retrieved from https://magento.com/security/patches/supee-7405

    Marc-Alexandre Montpas, Sucuri. (2016, January 22). Security Advisory: Stored XSS In Magento [Blog Post]. Retrieved from https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html

    Hivemind. (2015, April). eCommerce Market Share Report April 2015 [Blog Post]. Retrieved from https://askhivemind.com/blog/ecommerce-market-report-april-2015

  • Author image
    Senior Developer at Mebsites on the Gold Coast, Queensland, Australia. Mebsites is an acclaimed Magento and Custom Framework Web Software coding house.
    Gold Coast, Queensland, Australia Website