Magento has announced it will end support for its Magento 1.x software in June 2020, leaving the many online retailers still using that ecommerce platform with no source of security patches and updates. Moving to Magento 2.x is a wise idea, but could create new risks for tech teams unfamiliar with that version of the Magento platform.

Ken Zwiebel, general manager, PerimeterX

Ken Zwiebel, general manager, PerimeterX

A lot has been written lately about the fact that nearly 90% of companies that use the Magento ecommerce platform run on an old 1.x version. Most of the reasons for choosing to stay with the older version can be summarized as either too costly to upgrade to 2.x or the unwanted burden of worrying about the stability of a new system—the syndrome colloquially known as if it ain’t broke, don’t fix it.

However, in the world of zero-day vulnerabilities, frequent security patches, and web applications, this is a recipe for trouble. As we have read on just about every page of web application history, lack of upgrades is one of the most common causes of exposure to security risks and hacks.

Just as the engineering team is dealing with the upgrade, hackers will look to exploit their lack of familiarity with the new system and any other hole in the system.

Magento-based ecommerce sites have been notorious for both first- and third-party code attacks. This attack vector is where code is added either server-side or through the client side, in the browser, which then allows hackers to skim users’ credit card data and personal information.

Magento is an open source package of scripts that many ecommerce websites are built with, which means these JavaScript files run on thousands of websites around the world. In fact, the now infamous Magecart attacks received their name from Magento being compromised so frequently.

advertisement

End of life for Magento 1.x

In September of 2018, Magento announced end-of-life for version 1.x with a last support date of June 2020. What this means specifically is that Magento will cease to release security patches and updates after this date. Websites running Magento 1.x will remain exposed to existing and new vulnerabilities with no recourse to fix them.

Leaving a retailer’s ecommerce site on an unpatched system is unfathomable. For comparison, Magento 2.x had 75 (!!) security-related updates and security enhancements in 2019. Knowingly leaving a system on an old, EOL version of Magento will open up any ecommerce site not only to hackers, but to a waterfall of potential claims from those that will be affected from future breaches for failure to comply with best practices, updates, and more. By way of example, in an ironic twist of fate, hundreds of counterfeit sneaker sites running an outdated version of Magento 1.x were hacked and user’s credit cards were siphoned to a hacker group.

Magento 2.x will continue to benefit from ongoing security updates and support which will make it generally more secure than version 1.x. However, version 2.x also has many inherent security advantages out-of-the-box. It includes protection against specific vulnerabilities surrounding XSS (cross-site scripting), strengthened hash algorithms (SHA-256 vs. MD5) and a number of other security features.

Risks associated with moving to Magento 2.x

Unfortunately, an upgrade to 2.x alone is not the panacea that many security experts believe. First off, Magento, which was acquired by Adobe Systems Inc. in 2018, goes to great lengths to relieve itself from legal liability surrounding the use of externally developed applications and JavaScripts. Website owners are ultimately liable for the integrity of their application, and any resulting data breaches.

Second, in the real world, virtually every commercial website relies on third-party tools such as analytics tags, advertising scripts and live chat widgets to enhance the functionality of their site. All of these scripts vastly increase the attack surface for a website.

advertisement

Magento websites are particularly targeted for such attacks via third-party code, which are version-agnostic and therefore require a more dynamic and proactive solution that constantly monitors suspicious behavior, no matter the source. When dealing with third-party hacks and supply-chain infiltrations, the source of the problem is not the code-base of the underlying infrastructure of the store. Rather, the source of the tainted code is the dozens of JavaScripts that website owners usually have running on their site. This has been shown to be the vulnerability in a growing number of Magecart attacks as summarized in detail by security expert, Graham Cluley.

More security is needed

What is for certain is that the moment 1.x becomes obsolete and all those sites need to upgrade to 2.x, this will create a focus and an opportunity for hackers. Just as the engineering team is dealing with the upgrade, hackers will look to exploit their lack of familiarity with the new system and any other hole in the system.

Retailers with ecommerce sites that are running Magento 1.x should upgrade, but that is only step one on the path to providing the right security and safety for their users. The next step would be to consider deploying a number of security products that add layers of security that just the Magento platform alone does not provide.

PerimeterX provides application security technology, including Bot Defender and Code Defender.

Favorite

advertisement