Magento 1 still in wide use despite reaching end of life

Popular open source e-commerce platform Magento 1 has reached its end-of-life date, which could pose significant security risks for the large number of online stores still using the platform.

Adobe (which acquired Magento in 2018), Mastercard and Visa are all urging e-commerce companies to update their platforms as soon as possible to avoid becoming an attractive target for cybercriminals.

Usage data from Sansec suggests that over 105,000 installs of Magento 1 are still in operation, compared to just 37,500 installs of Magento 2.

This is despite the fact that Magento 2 was released in 2015, and it has been two years since Magento announced that Magento 1 would reach its end-of-life date.

This end-of-life date has already been pushed back twice — first from November 2018 to 1 June this year, and then from 1 June to 30 June after the coronavirus hit.

Meanwhile, Adobe has issued its final patches for Magento 1 versions, resolving two vulnerabilities that could lead to arbitrary code execution.

Tenable staff research engineer Satnam Narang said attackers have already been heavily targeting the platform by attempting to exploit bugs to insert payment card stealing code into online checkout forms.

“Cybercriminals have routinely targeted Magento sites as part of Magecart attacks, where they inject malicious code into the sites in order to steal payment card information from victims’ customers,” he explained.

“With Magento releasing its final batch of security fixes on June 22, attackers are likely chomping at the bit to exploit any undisclosed vulnerabilities in Magento 1. It is imperative that Magento site owners upgrade to Magento 2 for continued security updates or transition to another e-commerce solution that is still supported.”

Now that version 1 is no longer supported, any further exploit discovered could be terrible news for online retailers.

Image credit: ©stock.adobe.com/au/Jackie Niam