Detectify’s researchers analyzed 30,000 e-commerce stores

Detectify’s researchers analyzed 30,000 e-commerce stores

As the holiday season draws closer, the security researchers at Detectify have taken a deep dive into e-commerce security and analyzed 30,000 of the world’s most popular Magento stores. The results show that many online retailers are making serious security mistakes – in this article you will find out more about Detectify’s research and also learn how to keep your e-commerce business safe.

30,000 online stores vs 3 publicly available vulnerabilities

To take a quick snapshot of Magento stores’ security across the globe, the Detectify team analyzed 30,000 of the world’s most popular Magento sites based on Alexa rankings. The sample was then checked for 3 publicly available vulnerabilities as well as forced HTTPS, a basic security measure that prevents attackers from intercepting sensitive information.

Configuration file available on 500 stores
The /app/etc./local.xml file was a configuration file that contained the hidden path to the admin pane and the database password. Note the past tense here – this is an old vulnerability that isn’t a problem if you’re using a updated version of Magento. Magento stores running on servers other than Apache would serve this file to anyone, which is pretty bad, but what’s really scary is that 500 of the world’s top Magento stores are still vulnerable.

Exposed order history on 1,500 sites
Let’s talk about /RSS/order/NEW/new . This is an API for order history without any server-side authentication, allowing anyone to access sensitive order history data including customers’ personal information. This vulnerability was patched two years ago, but was still found it on 1,500 sites.

7,000 exposed admin panels
Leaving your admin panel exposed at /admin is the exact opposite of a best practice as it makes it easier for hackers to try and log in. Magento generates a warning if you make this mistake, but 7,000 of the webshops in the sample have an exposed admin panel.

50% missing HTTPS by default
Protecting customers by ensuring they are using HTTPS is becoming an increasingly common best practice, especially for businesses that are handling sensitive information like credit card details. Despite this, a surprising half of the web stores analyzed by Detectify do not use HTTPS by default.

5 quick security tips from Detectify’s security experts

1. Keep your platform up to date
This applies to all e-commerce solutions, not only Magento! Updates often include security patches – the vulnerabilities Detectify’s researchers checked for in their analysis have all been patched in newer versions.

2. Make sure your admin panel is not exposed
This is not a critical vulnerability in itself, but it broadens the attack surface and paves the way for attackers to try and bruteforce your password.

3. Implement HTTPS by default
Your customers might not be as tech-savvy as you are and chances are they don’t know how to manually switch to https. To keep them and their data safe, set up HTTPS by default.

4. Use a strong password
Weak and easy-to-guess passwords like password, 123456, and admin are still surprisingly common. If you need help coming up with and remembering strong passwords, consider using a password manager.

5. Monitor your security
Staying up to date with the latest vulnerabilities is time-consuming, but luckily, automation can do the heavy lifting. Detectify is an automated security monitoring service for web applications and was built by the cool people who did the research behind this article.


Curious about how a hacker would analyze and attack a Magento website? Sign up for Detectify’s video seminar where security researchers Linus Särud, 18, and Fredrik Almroth, 27, share their insights and advice on e-commerce security.