The first release of Magento platform reaches the end: updates needed

The heavily exploited Magento 1.x bugs get patched when the first version reaches end-of-life on June 30th

Adobe stops supporting the Magento first line and security is an issue since updates can fix critical flaws. Various service providers like Visa and Mastercard warns other online store owners about the end of Magento 1.x.^[1] There are tons of e-commerce providers that still run the Magento CMS, so they can become vulnerable to hacker attacks.^[2] The danger in these past years with the platform was considered high due to heavily exploited bugs in Magento.

After the support end date, Adobe will not be responding to any further security issues for Magento 1 and all Magento 1 extensions will be removed from the Magento Marketplace.

Stores get breached, and hackers insert payment card-data stealing codes at the checkout form. These attacks, called web skimming or Magecarts got extremely dangerous and profitable for malicious actors.^[3] Website admins get urged to update their Magento Commerce 1 and Magento Open Source 1 e-commerce platforms, so the latest updates can patch the newest vulnerabilities.

The most serious, categorized as critical, is the PHP object injection bug that can result in the execution of the arbitrary code.^[4] Other important vulnerabilities if used can trigger the exposure of sensitive information. Even though these bugs require administrative privileges to get executed, it is not that hard to achieve.

MasterCard and Visa warnings

Mastercard issued a security alert to customers, regarding the bug exploitation issue. According to the alert, most of the web skimming incidents were related to older versions of the Magento web store software. The company said that the investigation held by the Mastercard Account Data Compromise team revealed that at least 77% of investigated companies are not reaching the PCI DSS requirement 6 that is a rule for store owners.

Visa issued an alert back in April, and the warning was for store owners who need to update their Magento to 2.3.x, so the exploit of vulnerabilities can get avoided.^[5] Visa made their point very clear and stated that if the merchant fails to move up from Magento 1.x, their compliance with the PCI DSS standard will fall out. This might be disastrous for online stores and other companies that need to manage online credit card payments. This can make their platforms directly liable for the damage affecting customers directly.

The end-of-life was delayed already

Adobe released final security updates for the Magento 1.x and said that it is important to update to Magento 2.x since the EOL is coming. At least 110,000 stores still use the version 1.x despite the fact that the end-of-life for Magento was announced back in 2018. Only 37,500 stores have already installed the new branch of Magento.

When the Magento 1 is no longer supported, any new exploits can lead to disastrous losses since patches will not be released. Even though some experts state that new Magento 1.x vulnerabilities were not posted in a while, hackers can easily exploit them after the EOL and do that on purpose.

There were many alerts and warnings about the end to the Magento first line and the transition was planned a few years back. Web skimming attacks become more common each year, so there are no proper solutions except the firewall settings and updates.

In 2018 an extension was announced of the support for a further two years and after 55 months, it will finally be coming to an end on June 30th, 2020.