80% of Magento Stores Still Haven’t Patched Shoplift Bug

Posted on the 5th October 2015

Five months ago, Check Point security identified a critical vulnerability in the Magento ecommerce system. They called the vulnerability “Shoplift”, and publicised their findings. To their credit, eBay, the developers of Magento, patched the vulnerability extremely quickly and spent time improving the security of the software, releasing many more updates over the following months.

However, researchers at Byte have been tracking Magento websites to see how many have patched the issue. Out of the more than 83,500 websites in their database, only 8,336 have applied the patch for the bug. This suggests that there are more than 75,300 unprotected Magento Websites.

This is a terrifying statistic when you consider that Shoplift was revealed in April, and that the patch is issued for free.

Byte has statistics for only a fraction of the Magento stores on the internet, but they are aware of 216,934 websites. If their statistics run true, this means that there are more than 170,000 un-patched sites. The majority of these sites are powered by the Magento Community Edition, which is free. In some ways, this makes sense, since a company that relies upon the free edition of the software will not, in all probability, have a technical team in-house to take care of updating the software that powers their website.

A Vital Patch

Magento’s patching process is carried out using a console, and can make it a rather intimidating task for those who are not particularly experienced in server maintenance. This is an unusual decision considering so many other platforms can be updated via FTP, or even by auto-downloaders within the admin panel itself. Considering that Magento is a relatively ‘high end’ platform compared to, say, OSCommerce or WooCommerce, it would not be unreasonable to expect a more user-friendly patching process in a future release.

Over the last few months, Magento has released the SUPEE 5244, 5994, 6285 and 6482 patches. While the Enterprise Edition is generally well maintained in the wild, the Community Edition is not. Byte has asked some users why they are not updating their software. Common reasons cited include the fact that they do not have terminal access, they do not know how to patch their store, or they are more concerned about the potential downtime of installing a small patch than they are with regard to the risk of their store being hacked.