Tuesday’s Magento 1 EOL Leaves Clock Ticking on 100K Online Stores

magento 1 eol migration

Adobe and payment-card companies are making last-minute pleas for e-commerce sites to update to Magento 2, to avoid Magecart attacks and more.

With Magento 1 reaching end-of-life (EOL) on Tuesday, Adobe is making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2.

Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. After June 30 (Tuesday of this week), Adobe is pulling the plug on security fixes for Magento Commerce 1.14 and Magento Open Source 1 (formerly known as Enterprise Edition and Community Edition, respectively). E-commerce merchants must migrate to Magento 2, which was released five years ago.

“Thousands of merchants have already migrated to Magento 2,” according to a recent Magento update. “It is the best solution for growing businesses to succeed and thrive in digital commerce. Magento 2 offers a wealth of built-in features that are not available in Magento 1, plus infrastructure that is easier to maintain and support.”

With the number of active users of Magento 1 still topping 100,000, the looming EOL date opens up various cybersecurity issues. The Magecart cybergang, which has previously targeted the platform in order to inject card-skimming scripts onto checkout pages, is the biggest concern for security researchers. And security holes continue to pop up in the platform – Just last week Adobe issued fixes for critical- and important-severity flaws in Magento and earlier versions, warning that the security update was the final one for Magento 1.

As of Tuesday, e-commerce sites using the outdated Magento version will also be out of compliance with the PCI DSS standard (the Payment Card Industry Data Security Standard), which is a security standard for organizations handling credit cards, which aims to help reduce credit card fraud. Requirement 6 of the PCI DSS requires merchants to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches” which they cannot do when future security patches for Magento 1 are killed.

“Once a version of Magento Commerce software is no longer supported, it falls out of PCI compliance and it is your responsibility to re-certify compliance,” according to Adobe. “Merchants may be subject to fines or removal of credit card processing ability if you are unable to update vulnerabilities from regular scans and penetration testing.”

Adobe isn’t the only company urging websites to update. PayPal and Visa have also issued alerts, saying that PCI DSS requirements apply to merchant integrations with card payment brands. And according to a report by ZDNet, Mastercard also recently sent customers security alerts warning them to update to avoid cyberattacks.

Magento 1’s EOL has been a long time coming. Magento 2 was released in 2015 with various improved features, including better performance and a mobile-friendly admin interface (for reference, the most current version of Magento is Magento 2.3.5, released in April). The imminent June 2020 EOL for Magento 1 was then announced in September 2018, months after Adobe acquired Magento in May 2018. Since then, Magento has been working with technology vendors, developers, customers and partners for transition plans to the new version.

End of life timelines often leave lagging companies in security hot water. With Flash Player’s Dec. 31, 2020 kill date quickly approaching, for instance, Adobe said that it will start prompting users to uninstall the software in the coming months.

“Any time software reaches end-of-life there is the risk of attackers discovering new vulnerabilities that will remain unpatched,” Zach Varnell, Senior AppSec Consultant at nVisium, told Threatpost. “There may even be existing vulnerabilities that are not yet publicly known. Attackers could just sit on those issues and not reveal them until after the EOL date, ensuring that they will have longer to use them.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles