Thousands of Australian ecommerce sites vulnerable to 'Shoplift' bug

By

Retailers slow to patch against full-compromise flaw.

More than 4000 retailers in Australia could be vulnerable to a bug in the eBay-owned Magento platform which allows full takeover of ecommerce sites by attackers.

Thousands of Australian ecommerce sites vulnerable to 'Shoplift' bug

The 'Shoplift' flaw can also be exploited for unauthorised access to customer details and credit card information from site databases, security vendor Check Point noted.

Owner of Dutch Magento hoster Byte.nl, Willem de Groot, tested sites around the world to check if they had applied the SUPEE-5344 security update for Magento.

He found just under 100,000 were vulnerable.

In Australia, de Groot's testing discovered that just over 4000 sites were unpatched as of yesterday.

The list - sighted by iTnews - showed popular camera and electronics dealers, art galleries, travel agents, wine merchants, fashion shops and other retailers as being vulnerable to Shoplift.

iTnews contacted a number of site operators on the list to ask if they were aware of the vulnerability and whether they had patched against it, but received few responses.

SIM card vendor Amaysim told iTnews it had patched its site the same day it was made aware of the Shoplift bug.

De Groot set up testing tools to check for Shoplift on his site and warned that the remote code execution bug was easy to exploit.

"I studied the patch from Magento, and made a working exploit. If I can do it, somebody else can do it," de Groot said.

Magento has alerted users via email and a dashboard notification but does not currently include the patch in its official release of the ecommerce platform. Users have to log in to download the patch.

iTnews has contacted Magento for comment.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?