Critical Magento Security Vulnerabilities and How to Avoid Them
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
A link to download the PDF will arrive in your inbox shortly.
September 14, 2020; it was a Monday morning like any other — unless you ran your online store on Magento. Then your case of the Mondays might have included frantically doing damage control because over the weekend almost 2,000 Magento 1 stores were hit in what security researchers at Sansec described as the “largest documented campaign to date.”
It was a fairly typical Magecart attack. Magecart is, according to CPO Magazine, a “loose confederation of online credit card skimmers,” so named for their attacking the mage.php code in Magento websites cart sections. While this is the origin of the name, it’s important to note that Magecart attacks do not exclusively target Magento sites, and this type of web skimming can occur on other ecommerce platforms as well.
The term Magecart is not an official group, but rather a label for a set of tactics. The cybercriminals look for ways to exploit ecommerce software to steal credit card numbers and other personal customer information. This is usually done by capturing customer data as it’s entered into web forms for payment.
In June of 2020, when Magento sunset Magento 1, many predicted the lack of security updates and patches would be a major issue for stores staying on Magento 1. The historic Magecart attack a few months later has certainly added credence to those fears.
Don’t take the risk of discovering your store is part of the next big breach. Let’s take a look at six of the most serious Magento vulnerabilities and how you can increase your store’s security to avoid them.
When Magento stopped supporting Magento 1, businesses still on this version had a day of reckoning. The platform on which they had spent time and money building their sites was no longer secure. Some chose to stay. But they now face the hurdles below.
Maintaining PCI DSS requires organizations to develop and maintain secure systems and applications, which includes taking proactive measures to protect your systems and software, and installing critical vendor-supplied security patches. Falling out of compliance can keep you from working with most reputable payment providers. It also means you’re subject to fines until compliance is reinstated.
In October 2019, Magento released an update for Magento 1 that addressed 12 security vulnerabilities. Magento 1’s sunset didn’t eliminate vulnerabilities; it has made it much more difficult to fix them because merchants are on the hook for developing a patch themselves — or finding a Magento developer who has. If you are depending on crowdsourcing fixes, there is a strong risk that developers who are currently keeping Magento 1 merchants afloat, will drop off over time. And, unlike when Magento 1 was still supported, your security team now has to not only install patches, but create them as well.
Ransomware is a form of malware that can keep you from accessing your own data. Here’s where the “ransom” part comes in. Malicious users hold your data “hostage” and charge a ransom. They claim if you pay it, they’ll give you your data back. Sometimes they do — and sometimes not. Either way, it’s an expensive problem to mitigate. If new vulnerabilities are discovered in M1 that make ransomware attacks possible, you are now responsible for patching them.
Keeping your site updated means also keeping your extensions up-to-date. In early 2019, security researcher Willem de Groot reported that vulnerable third-party extensions were the most common source of attack. But coordinating these multiple updates can be a challenge — and a change to any interlocking piece of your tech stack can have unintended consequences on other pieces. Without support from Magento — and as extension developers focus on Magento 2 — this has become an even more burdensome issue for Magento 1 sites.
All in all, if you’re still on Magento 1, the updates and security patches are no more. That means the responsibility for security and functionality falls solely on you. You must have access to developers — preferably those very familiar with Magento — to find ways to secure your store and protect against cyber attacks.
Your options for securing a site on Magento 1 are pretty limited. Since you don’t have support from Magento, one of your best options may be to hire a part- or full-time security consultant to focus on preventing attacks. That can get expensive — quickly.
Some managed hosting companies are also offering hosting services they say will provide platform security. While these solutions can manage server security to thwart attacks like DDoS, it’s not a complete solution. Most companies aren’t offering the patches and updates you need to make to keep your Magento 1 site secure. Taking this route will also be expensive, so prepare your budgets accordingly.
Even if you left Magento 1 for Magento 2, before or after the sunsetting, you still have risks to be aware of and to mitigate. According to an October 2020 report by independent cybersecurity company Foregenix, 55% of Magento 2 sites are at a high or critical security risk level.
Open source software, like Magento, has pros and cons. One advantage is that you can access and modify the source code which provides flexibility and vast opportunity for customization. The disadvantages, however, include that you’re undertaking certain responsibilities to keep your site safe, under Magento’s Shared Responsibility model.
During the time between the issuance of a new security patch and you actually installing it, you may be at risk. And if your software isn’t updated to the latest version — also your responsibility — you’re leaving even more room for malicious actors to slip in.
For some businesses, the customization and in-house control of open source is attractive — but they must be prepared for the greater risks that come along with it. Here are some of the biggest security risks typically seen on Magento ecommerce sites.
If your ecommerce site is hosted on a server under your control, you’ll have to be prepared to protect it from distributed denial of service attacks. Also known as DDoS, these attacks purposely overwhelm the server with traffic, interrupting service on your ecommerce site.
Think of it as a traffic jam keeping legitimate customers from turning into the parking lot of your store. For every minute shoppers aren’t able to browse your store or complete purchases, you could be losing revenue.
This would only apply if providing your own hosting with Magento Open Source or Magento Commerce (on-premise). With Magento Commerce Cloud, server security is handled by Amazon Web Services.
Sometimes, malicious users just want to wreak havoc. Website defacement usually involves having your homepage vandalized or various files across your site being deleted. Though the attacks aren’t typically personal in nature, many attackers will leave obscene or hateful messages when they deface your site.
In October 2020, Magento issued a security patch for a vulnerability that opened a door in Magento Commerce for remote code execution, which is one way attackers get in to deface your site. Third-party apps and integrations can also introduce these kinds of vulnerabilities.
This can, of course, impact your brand reputation if the defacement isn’t spotted quickly. If shoppers believe your ecommerce site to be insecure, they’ll hesitate before handing over payment information to complete a purchase.
Credit card hijacking, also called card skimming or silent card capture, happens when attackers are able to exploit a vulnerability that allows them to tap into payment data coming through your shopping cart. This is what Magecart attackers, such as those involved in the September 2020 attack, are known for.
This kind of cyber attack works by exploiting known software vulnerabilities to inject malicious JavaScript code into online checkout software systems. It has a relatively low barrier to entry, making credit card skimming a common form of cyber attack on ecommerce sites.
One of the biggest dangers of this is that it can go undetected for a long period of time, compromising sensitive personal and payment information. Losing your customers’ personal information and putting them at risk of identity theft is one of the quickest ways to lose trust, deterring customer acquisition and loyalty. This Visa document details what you should do if your site security is breached.
The purpose of botnets is to perform mundane tasks automatically on a vast array of websites — and much more quickly than any human or group of humans could dream of. The most common use for bots, “crawling,” is not actually malicious; this is how search engines like Google know your site exists and what it contains.
But in some cases, they can be used to add your machine to their web of connected machines, putting it under someone else’s control. At that point, the botnet can be used to carry out malicious activity — for example, sending spam emails from your address to millions of internet users. Not only will that reduce recipients’ trust in your brand, it could also reduce your emails’ deliverability in the future if your server is blacklisted by spam filters.
In early 2020, the Center for Internet Security issued an advisory regarding vulnerabilities in Magento software that could be exploited to allow remote code execution. Remote code execution vulnerability allows an attacker to run unverified code on your Magento store.
Bad actors taking advantage of these vulnerabilities could gain access to the system to install programs and view, change or delete data. They could also potentially create new accounts with full user rights.
Cross-Site Scripting or XSS is another type of security vulnerability. It allows attackers to run their own scripts on your Magento store. The malicious script will run in the browsers of users visiting the pages of your store that are infected. In some cases, XSS can even be used to rewrite the HTML content of the page and used for phishing. According to website security company Astra, from 2014 to 2019, XSS attacks were the most commonly occurring vulnerability on Magento sites.
Ensuring the security of a Magento 2 installation will be quite a bit easier than on Magento 1, since Magento is providing support, patches and updates — but you’ll still need to maintain PCI compliance and ensure you’re applying patches and updates right away.
While Magento 2 Commerce is technically PCI compliant, once you as the merchant begin to make changes to the source code, you take on more responsibility for your security. From Magento’s Shared Responsibility page: “Customers are responsible for the PCI requirements of their customized application and their own processes.”
As Magento writes in their webpage on Shared Responsibility, “The customer is responsible for the security of their customized instance of the Magento Commerce application running on the Magento Commerce cloud environment.” And that means you’ll need to:
Ensure secure configuration and coding.
Conduct proactive security monitoring like penetration testing and regular vulnerability scans.
Ensure the security of all customizations, extensions, apps, or integrations.
Control all code deployments security patch applications.
And, the more you customize your store, the more difficult it will be to install future updates and patches. But these updates and patches are critical to your security; the stakes are too high to ignore them. A breach of customer trust and the resulting potential fines could put your business at a serious disadvantage.
Here are some best practices to take to keep your Magento 2 store as secure as possible.
Make sure to stay tapped into all information coming out from Magento, and respond immediately to any security alert, issued patches or software updates. Once a vulnerability has been discovered, you’ll want to have your development team implement a fix as soon as possible to keep your site safe.
In 2019, Magento released a range of security patches in addition to three different version updates (2.3.1 to 2.3.2 to 2.3.3). Merchants wanting to stay on the most current version would have had to install six different security patches over 2019 and an additional three patches by the end of April 2020.
There are a number of security extensions built just for Magento that you can install to help reinforce the security of your website. These extensions may offer features like the ability to block certain IP addresses, strengthen login security, protect against fraudulent orders and payments, and detect and remove malware.
Magento’s Security Center offers a free scan you can use to monitor for security risks, update malware patches and detect any unauthorized access to your website. You can schedule the scan to run automatically at intervals of your choice, and get real-time insight into your store’s security.
A WAF is a web application firewall. Using this can help prevent a number of different kinds of attacks by filtering out malicious web traffic. WAFs can protect against attacks like cross-site forgery, cross-site scripting, file inclusion, and SQL injection. WAFs are an important tool in your security toolkit, but you shouldn’t rely on them as your only security measure.
Two-step authentication protects your login to a system, adding an extra layer of security on top of password protection. Instead of just signing in with a password, users will have to confirm their identity through a second factor like entering a unique code sent to the user’s email. You need to upgrade to the latest version of Magento in order to access two-factor authentication.
If you want the flexibility of Magento, but don’t want to worry as much about security — consider switching to BigCommerce.
Migrating to BigCommerce eliminates the need for your team to make software and security updates. The Open SaaS platform is ISO/IEC 27001:2013 & PCI DSS 3.2, Level 1 certified.
Choosing a SaaS platform comes with included hosting, reliable performance and security. The platform takes care of all software updates and security patches, protecting you from server attacks and maintaining your PCI compliance. (Note: Magento Commerce Cloud also includes hosting, but uses a shared responsibility model for security.)
With flexible APIs from BigCommerce, you can build what you want, seamlessly connect to extensions, innovate with creative digital experiences, and scale as you grow. BigCommerce also supports options like headless, including Progressive Web Apps, that have previously required an open source platform.
If your store is still on Magento 1 at this point and you’re experiencing security risks like the September 2020 attack, you need to move fast.
If your store is on Magento 2, we hope you learned more about the vulnerabilities to keep an eye out for and the best practices to secure your site.
And finally, the true secret to avoiding the security hassles of Magento is…to not use Magento at all. If you’re looking for an option that leaves you with fewer security concerns keeping you up at night so you can get laser-focused on growth, don’t wait. Replatform to a flexible, Open SaaS platform — and start today.
Victoria is a content marketing writer, researcher, and content project manager at BigCommerce. Specializing in writing and web content strategy, she previously spent eight years in public relations and marketing for Tier I research universities. She holds a B.A. in English Writing and Rhetoric from St. Edward’s University and a Master of Liberal Arts from Lock Haven University of Pennsylvania.