Thousands of Australian ecommerce sites vulnerable to 'Shoplift' bug

More than 4000 retailers in Australia could be vulnerable to a bug in the eBay-owned Magento platform which allows full takeover of ecommerce sites by attackers.

The 'Shoplift' flaw can also be exploited for unauthorised access to customer details and credit card information from site databases, security vendor Check Point noted.

Owner of Dutch Magento hoster Byte.nl, Willem de Groot, tested sites around the world to check if they had applied the SUPEE-5344 security update for Magento.

He found just under 100,000 were vulnerable.

In Australia, de Groot's testing discovered that just over 4000 sites were unpatched as of yesterday.

The list - sighted by iTnews - showed popular camera and electronics dealers, art galleries, travel agents, wine merchants, fashion shops and other retailers as being vulnerable to Shoplift.

iTnews contacted a number of site operators on the list to ask if they were aware of the vulnerability and whether they had patched against it, but received few responses.

SIM card vendor Amaysim told iTnews it had patched its site the same day it was made aware of the Shoplift bug.

De Groot set up testing tools to check for Shoplift on his site and warned that the remote code execution bug was easy to exploit.

"I studied the patch from Magento, and made a working exploit. If I can do it, somebody else can do it," de Groot said.

Magento has alerted users via email and a dashboard notification but does not currently include the patch in its official release of the ecommerce platform. Users have to log in to download the patch.

iTnews has contacted Magento for comment.