Shoplift, a major Magento security bug, was discovered this February by Check Point. It is a critical breach in Magento security. Here are some examples of how this exploit can be used:
The particular vulnerabilities can be found here:
and the details of the bug itself over here:
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
What is Shoplift?
Shoplift is an error in Magento code which allows to bypass the authentication by a server query.
What are the dangers?
Upload of arbitrary files, execution of an arbitrary PHP script, full access to the database (with your clients’ data). In other words, the attacker might give themselves a 100% discount in your store (see the clip above), create an admin account, steal your clients’ data, and much more. They can basically do everything that only the shop owner or the administrator can.
According to Securi, there have been first incidents of using this bug in the wild already:
https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html
Is MY shop in danger?
Check it here: http://magento.com/security-patch
How to defend myself?
Be sure to install the SUPEE-534 patch. You can find it here: https://www.magentocommerce.com/products/downloads/magento/
If you want our team to do it for you, feel free to contact us.
