Critical Magento Security Vulnerabilities and the Implications of Magento 1 End of Life

In 2015, cybersecurity firm RiskIQ first began tracking card skimming attacks perpetrated by a “loose confederation of online credit card skimmers” they dubbed Magecart, for the attack method they observed: modification of “the mage.php code in Magento websites’ cart sections.” 

Over the last five years, the multiple criminal groups referred to as Magecart have continued to evolve while their numbers grow. This wide network of cyber attackers wreaked so much havoc, they made Wired’s list of The Most Dangerous People on the Internet in 2018. At the time they earned that dubious distinction, they’d already hit at least 6,400 sites.

But Magecart’s growing infamy didn’t slow them down. In June 2019, Cyberscoop published an article about a new Magecart-style attack capable of stealing data from sites using Magento, OpenCart, or OSCommerce payment platforms. 

Just two months later, the PCI Security Standards Council (PCI SSC) and the Retail & Hospitality ISAC (RH-ISAC) issued a joint statement about the risks of Magecart to online merchants, and in early 2020 the FBI issued a similar warning.

Today, Magecart is alive and well, and remains a threat to vulnerable sites on the Magento platform. 

Based on research conducted in Q2 of 2019, cybersecurity firm Foregenix found that 87% of small and medium-sized businesses on the Magento platform were at high risk of an attack — compared to less than 10% of websites on other popular platforms.

Let’s take a look at four of the most critical Magento security risks, how the Magento 1 End of Life will impact security, and ways to increase store security on the platform. 

Common Security Risks Seen on Magento 

Open source platform Magento can be vulnerable to security issues. Open source software has an open development process, giving merchants the ability to edit their own source code. The advantage of having this control is the flexibility and vast opportunity for customization. The disadvantages, however, include that you’re undertaking certain responsibilities to keep your site safe, under Magento’s Shared Responsibility model. 

During the time between the issuance of a new security patch and you actually installing it, you may be at risk. And if your software isn’t updated to the latest version — also your responsibility — you’re leaving even more room for malicious actors to slip in. 

For some businesses, the customization and in-house control of open source is attractive — but they must be prepared for the greater risks that come along with it. Here are some of the biggest security risks typically seen on Magento ecommerce sites.

1. Server attacks. 

If your ecommerce site is hosted on a server under your control, you’ll have to be prepared to protect it from distributed denial of service attacks. Also known as DDoS, these attacks purposely overwhelm the server with traffic, interrupting service on your ecommerce site. 

Think of it as a traffic jam keeping legitimate customers from turning into the parking lot of your store. For every minute shoppers aren’t able to browse your store or complete purchases, you could be losing revenue.

2. Website defacement. 

Sometimes, malicious users just want to wreak havoc. Website defacement usually involves having your homepage vandalized or various files across your site being deleted. Though the attacks aren’t typically personal in nature, many attackers will leave obscene or hateful messages when they deface your site. 

In October 2019, Magento issued a security patch for a vulnerability that opened a door in Magento Commerce for remote code execution, which is one way attackers get in to deface your site. Third-party apps and integrations can also introduce these kinds of vulnerabilities.

This can, of course, impact your brand reputation if the defacement isn’t spotted quickly. If shoppers believe your ecommerce site to be insecure, they’ll hesitate before handing over payment information to complete a purchase.

3. Credit card hijacking.

Credit card hijacking, also called card skimming or silent card capture, happens when attackers are able to exploit a vulnerability that allows them to tap into payment data coming through your shopping cart. This is what Magecart attackers are known for.

This kind of cyber attack works by exploiting known software vulnerabilities to inject malicious JavaScript code into online checkout software systems. It has a relatively low barrier to entry, making credit card skimming a common form of cyber attack on ecommerce sites. 

One of the biggest dangers of this is that it can go undetected for a long period of time, compromising sensitive personal and payment information. Losing your customers’ personal information and putting them at risk of identity theft is one of the quickest ways to lose trust, deterring customer acquisition and loyalty. This Visa document details what you should do if your site security is breached. 

4. Botnetting. 

The purpose of botnets is to perform mundane tasks automatically — and much more quickly than any human or group of humans could dream of. The most common use for bots, “crawling,” is not actually malicious; this is how search engines like Google know your site exists and what it contains. 

But in some cases, they can be used to add your machine to their web of connected machines, putting it under someone else’s control. At that point, the botnet can be used to carry out malicious activity — for example, sending spam emails from your address to millions of internet users. Not only will that reduce recipients’ trust in your brand, it could also reduce your emails’ deliverability in the future if your server is blacklisted by spam filters.

Sunsetting Magento 1

On June 30, 2020, Magento 1.X — a series of versions of Magento — will officially sunset. In other words, it will reach “End of Life.” That means that Magento will no longer create updates or issue security patches for the product. 

While that doesn’t mean your store will disappear from the internet or that you’ll be unable to conduct business at all, it does introduce a whole host of significant challenges: 

• Without security patches, you’ll be at risk of data breach if new vulnerabilities are discovered.
• You could lose compatibility with third-party integrations, leading to instability and inconsistent site performance.
• Lack of improvements to core features mean you run the risk of falling behind your competitors. Without these “quality of life” fixes, the performance of your site over time will likely suffer slower speeds, visual bugs, and layout, according to this Magento developer agency.

Staying on the platform after its EOL introduces serious concerns — and one of them is cybersecurity. Retailers remaining on Magento 1 after its end of life could be opening themselves to serious security risks. 

Here are a few of the other potential frustrations you could experience if you remain on Magento 1: 

• Third-party apps are unlikely to get any new updates and eventually will be incompatible with Magento 1.
• New extensions for your store will be few and far between — if there are any at all. One Magento development agency writes, “[T]he majority of module vendors will no longer support their third party extensions … (at the developer’s discretion).”
• Some development agencies may stop working on Magento 1 sites, and this is likely to be an increasing trend as we move further past the EOL date. 
• Without Magento providing support, developing security patches, or issuing quality fixes, you and your team will be fully responsible for not just the day-to-day maintenance you’re used to, but also the foundational safety and functionality of your legacy software. 

Magento 1 End of Life: Security Risks Increase 

With Magento no longer supporting version 1 with security patches and software updates, if new vulnerabilities in Magento 1 which endanger merchant PCI compliance are discovered, merchants must assume responsibility for taking the necessary security precautions to remain in PCI compliance. Failure to do so could mean a loss of reputation, and vulnerabilities to your store and customer data. 

Even if you’re willing to take the risk, your payment provider may not be. 

Your level of risk becomes greater, too, because Magento 1’s sunsetting isn’t a secret. After the last security patch is issued, cyber criminals will know exactly where to look for likely vulnerabilities. 

1. No security patches. 

If you’re on Magento Open Source 1 (formerly known as Community Edition), you’re likely already accustomed to not seeing any new features. The company announced in September 2018 that they would only be issuing security patches through end of life for this version, and no more quality fixes would be issued. 

But the ending of those security patches is a really big deal. If someone identifies a vulnerability in the Magento 1 system after end of life — whether you’re on Open Source or Enterprise — there won’t be anyone at Magento to patch it. 

Just last October, Magento released an update for Magento 1 that addressed 12 security vulnerabilities. Magento 1’s sunset won’t eliminate the opportunity for vulnerability; in fact, it will make it much more difficult to fix, because merchants will be on the hook for developing a patch themselves — or finding a Magento developer who has. You’ll want to make sure to have a team at the ready, if that happens. 

And, unlike when Magento 1 was still supported, that security team will have to not only install patches, but create them as well. That will require more developer resources — and the cost of paying them.

2. Losing PCI compliance. 

Maintaining PCI DSS requires organizations to develop and maintain secure systems and applications, which includes taking proactive measures to protect your systems and software, and installing critical vendor-supplied security patches. 

You’ll want to make sure you’re doing everything in your power to maintain PCI compliance. Falling out of compliance could keep you from working with most reputable payment providers. They’ll want to know that you’ve implemented the proper security measures to prove you can accept payments securely.

3. Ransomware. 

Ransomware is a form of malware that can keep you from accessing your own data. Here’s where the “ransom” part comes in. Malicious users hold your data “hostage” and charge a ransom. They claim if you pay it, they’ll give you your data back. Sometimes they do — and sometimes not. Either way, it’s an expensive problem to mitigate. 

If new vulnerabilities are discovered in M1 after EOL that make ransomware attacks possible, you’ll be responsible for patching them. In 2016, according to Digital Commerce 360, Magento issued security patches and removed an extension “as a precaution to fend off content management system malware.“ Ransomware is one of the best arguments in favor of keeping recent, comprehensive backups of your site and your data. 

4. Vulnerabilities in extension base. 

Keeping your site updated means also keeping your extensions up-to-date. In early 2019, security researcher Willem de Groot reported that vulnerable third-party extensions were the most common source of attack. 

But coordinating these multiple updates can be a challenge — and a change to any interlocking piece of your tech stack can have unintended consequences on other pieces.   Without support from Magento — and as extension developers become more focused on Magento 2 — this will become an even more burdensome issue for your team. 

5. Lack of Magento support. 

If you stay on Magento 1 after it’s sunset, the updates and security patches will be no more. That means the responsibility for security and functionality falls solely on you. You’ll want to make sure you have access to developers — preferably those very familiar with Magento — to find ways to secure your store and protect against cyber attacks. 

How Can You Secure a Magento 1 Store? 

Your options for securing a site on Magento 1 are pretty limited. Once you find yourself without the support from Magento, one option would be to hire a part- or full-time security consultant to focus on preventing attacks. That can get expensive — quickly. 

Some managed hosting companies are also offering hosting services they say will provide platform security. While these solutions can manage server security to thwart attacks like DDoS, it’s not a complete solution. Most companies aren’t offering the patches and updates you’ll still need to make to your Magento source code. Taking this route will also be expensive, so prepare your budgets accordingly.

Will the Security Risks Go Away With Magento 2? 

You won’t have the same level of risk on Magento 2 as if you stay on Magento 1 after its end of life. That doesn’t mean all your problems automatically disappear, but at least Magento will be actively seeking vulnerabilities and issuing patches for them. The ecommerce platform issued six security updates in 2019 to fix discovered vulnerabilities.

It’s important to note, however, that moving from Magento 1 to Magento 2 does require a full migration, similar to if you were choosing a new ecommerce platform altogether. 

Steps For Securing a Magento 2 Website 

Staying on Magento 1 will have you jumping through hoops to keep your site secure. Ensuring the security of a Magento 2 installation will be quite a bit easier than that, since you’ll have Magento providing support, patches and updates — but you’ll still need to manage PCI compliance and ensure you’re applying patches and updates right away. 

While Magento 2 is technically PCI compliant, once you as the merchant begin to  make changes to the source code, you take on more responsibility for your security. From Magento’s Shared Responsibility page: “Customers are responsible for the PCI requirements of their customized application and their own processes.” 

As Magento writes in their webpage on Shared Responsibility, “The customer is responsible for the security of their customized instance of the Magento Commerce application running on the Magento Commerce cloud environment.” And that means you’ll need to: 

• Ensure secure configuration and coding.
• Conduct proactive security monitoring like penetration testing and regular vulnerability scans.
• Ensure the security of all customizations, extensions, apps, or integrations. 
• Control all code deployments security patch applications.

And, the more you customize your store, the more difficult it will be to install future updates and patches. This means the challenges will keep rolling in, even if you replatform to Magento 2. But these updates and patches are critical to your security; the stakes are too high to ignore them.

1. Sign up for security alerts and install all Magento security patches.

Make sure to stay tapped into all information coming out from Magento, and respond immediately to any security alert, issued patches, or software updates. Once a vulnerability has been discovered, you’ll want to have your development team implement a fix as soon as possible to keep your site safe.

2. Add Magento security extensions.

There are a number of security extensions built just for Magento that you can install to help reinforce the security on your website. These extensions may offer features like the ability to block certain IP addresses, strengthen login security, protect against fraudulent orders and payments, and detect and remove malware. 

3. Monitor Magento Security Scan.

Magento’s Security Center offers a free scan you can use to monitor for security risks, update malware patches, and detect any unauthorized access to your website. You can schedule the scan to run automatically at intervals of your choice, and get real-time insight into your store’s security.

4. Use a WAF. 

A WAF is a web application firewall. Using this can help prevent a number of different kinds of attacks by filtering out malicious web traffic. WAFs can protect against attacks like cross-site forgery, cross-site scripting, file inclusion, and SQL injection. WAFs are an important tool in your security toolkit, but you shouldn’t rely on it as your only security measure.

5. Enable two-step authentication.

Two-step authentication protects your login to a system, adding an extra layer of security on top of password protection. Instead of just signing in with a password, users will have to confirm their identity through a second factor like entering a unique code sent to the user’s email. 

Migrate To a New, Secure Ecommerce Platform 

Whether you move to Magento 2 or switch to a new ecommerce platform provider, you will be undergoing a full replatform — including data migration and new themes and templates. This, as you already know, is extremely time consuming. 

If you’re going to go through that whole process, it’s worth examining your other options first, and re-evaluating whether Magento is the right platform for your store at all.

Here’s a look at some of the top ecommerce platforms. Use this decision tree to help you decide which one best fits your business.

Migrating to an open SaaS ecommerce platform like BigCommerce can help significantly reduce your security risks and eliminate the need for your team to make software and security updates. 

Choosing a SaaS platform comes with included hosting, reliable performance, and security. The platform takes care of all software updates and security patches, protecting you from server attacks and maintaining your PCI compliance. (Note: Magento Commerce Cloud also includes hosting, but uses a shared responsibility model for security.)

With flexible APIs from BigCommerce, you can build what you want, seamlessly connect to extensions, innovate with creative digital experiences, and scale as you grow. BigCommerce also supports options like headless, including Progressive Web Apps, that have previously required an open source platform. 

Conclusion

If your store is still on Magento 1, you have some serious decisions to make, and you’re running out of time — fast. 

Remember, if you’re still on M1 after the EOL date:

• You’ll lose support from Magento around security patches and software updates. 
• Your third-party extensions may stop working with each other or with your Magento 1 software, leaving your site’s functionality or business operations severely impeded.
• Expensive development costs will be coming your way for ensuring security and software performance. 

Magento 1 EOL presents an opportunity to re-examine your true ecommerce needs as a business — and where you want to allocate your hard-earned revenue. 

If you’re looking for an option that leaves you with fewer security concerns keeping you up at night so you can get laser-focused on growth, replatform to a flexible, open SaaS platform — and start today. 

Replatform with a secure solution from BigCommerce.