A lot has been written lately about the fact that nearly 90% of companies that use the Magento ecommerce platform run on an old 1.x version. Most of the reasons for choosing to stay with the older version can be summarized as either too costly to upgrade to 2.x or the unwanted burden of worrying about the stability of a new system—the syndrome colloquially known as if it ain’t broke, don’t fix it.
However, in the world of zero-day vulnerabilities, frequent security patches, and web applications, this is a recipe for trouble. As we have read on just about every page of web application history, lack of upgrades is one of the most common causes of exposure to security risks and hacks.
Magento-based ecommerce sites have been notorious for both first- and third-party code attacks. This attack vector is where code is added either server-side or through the client side, in the browser, which then allows hackers to skim users’ credit card data and personal information.
End of life for Magento 1.x
In September of 2018, Magento announced end-of-life for version 1.x with a last support date of June 2020. What this means specifically is that Magento will cease to release security patches and updates after this date. Websites running Magento 1.x will remain exposed to existing and new vulnerabilities with no recourse to fix them.
Leaving a retailer’s ecommerce site on an unpatched system is unfathomable. For comparison, Magento 2.x had 75 (!!) security-related updates and security enhancements in 2019. Knowingly leaving a system on an old, EOL version of Magento will open up any ecommerce site not only to hackers, but to a waterfall of potential claims from those that will be affected from future breaches for failure to comply with best practices, updates, and more. By way of example, in an ironic twist of fate, hundreds of counterfeit sneaker sites running an outdated version of Magento 1.x were hacked and user’s credit cards were siphoned to a hacker group.
Magento 2.x will continue to benefit from ongoing security updates and support which will make it generally more secure than version 1.x. However, version 2.x also has many inherent security advantages out-of-the-box. It includes protection against specific vulnerabilities surrounding XSS (cross-site scripting), strengthened hash algorithms (SHA-256 vs. MD5) and a number of other security features.
Risks associated with moving to Magento 2.x
Second, in the real world, virtually every commercial website relies on third-party tools such as analytics tags, advertising scripts and live chat widgets to enhance the functionality of their site. All of these scripts vastly increase the attack surface for a website.
More security is needed
What is for certain is that the moment 1.x becomes obsolete and all those sites need to upgrade to 2.x, this will create a focus and an opportunity for hackers. Just as the engineering team is dealing with the upgrade, hackers will look to exploit their lack of familiarity with the new system and any other hole in the system.
Retailers with ecommerce sites that are running Magento 1.x should upgrade, but that is only step one on the path to providing the right security and safety for their users. The next step would be to consider deploying a number of security products that add layers of security that just the Magento platform alone does not provide.
PerimeterX provides application security technology, including Bot Defender and Code Defender.Favorite