Magento 1 End-of-Life Offers Opportunities for Hackers

Written by

A popular Content Management System (CMS) software version is soon set to be retired, potentially exposing hundreds of thousands of companies to the risk of digital skimming attacks.

Launched in 2007, Magento 1 currently powers around 12% of global e-commerce stores, or 250,000 active sites, according to security firm Sucuri.

However, with end of support set to land in June 2020, there will be new opportunities for attackers to compromise these websites to access sensitive customer data.

All eyes will be on the groups using the infamous Magecart skimming code to harvest card details as they are entered into e-commerce website payment pages.

“It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any e-commerce business,” explained Sucuri’s Art Martori.

“When you consider the popularity of the Magento e-commerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of e-commerce retailers scrambling for new solutions.”

By exploiting Magento 1 vulnerabilities that emerge but are no longer patched after June 2020, these hackers could therefore theoretically implant the malicious JavaScript on even more sites next year.

They have already compromised an estimated hundreds of thousands of sites and millions of users, possibly many more.

Hackers have even sought to exploit misconfigured Amazon Web Services (AWS) S3 buckets to implant the code onto more sites.

Sucuri recommended web application firewalls (WAFs) as a useful way to protect end-of-life platforms like Magento 1 while potentially easing the pain of migration.

What’s hot on Infosecurity Magazine?