Mike Booker – 
New Zealand ecommerce sites have been hit by the vulnerability in the popular ecommerce platform Magneto, Retail News has been told.
The Shoplift bug means retailers using Magento, and who have not implemented a patch to fix the flaw, are open to attackers getting control of their store and its sensitive data, including personal customer information.
Asked what the scale of the problem was among Kiwi sites hit, we were told, “three out of 10, with 10 being a major issue.”
The problems have now been fixed.
Shoplifting issues
Retail News inquiries indicate the Shoplift bug is not widespread in this country.
Ecommerce strategist Greg Randall said that the patch is extremely straightforward for sites that are built to a high standard.
“The problem comes in bad builds where lazy dev teams tamper with core code during the build. This is a major problem with Magento where many ‘cowboys’ do this to cut costs. What they do not realise is that over the long term, the retailer pays exponentially for the short-term savings,” he said.
Mr Randall said that New Zealand and Australia have very few credible Magento development teams.
Indifference to patches
Magneto, owned by eBay, released a patch to close the vulnerability in February, but nearly 100,000 online merchants are estimated to have not installed the patch.
Technology blogger Juha Saarinen has calculated that there are at least 559 sites in New Zealand that are vulnerable.
Magneto said that the Shoplift bug affects both Magento Enterprise and Magento Community Editions and recommended users look for signs to determine if their site has potentially been compromised.
Important measures
The measures should include the following:
Check your list of administrator users for unknown accounts. We have seen vpwq and default manager being used, but any unknown account would be suspicious
Check your Magento installation for any unknown files created recently and appear suspicious. Compare all files to your code repository or staging server
Check server access log files for request POST/index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
Mike Booker is the Editor of Retail News, a web-based newsletter and communication service from Wellington. The above article appeared on April 6, 2015. Retail News supports the Indian Newslink Indian Business Awards, especially the ‘Business Excellence in Retail Trade’ category.
