In the wake of a number of serious vulnerabilities — including the critical ShopLift vulnerability — Magento announced in May that it would be introducing the Magento Alert Registry to keep eCommerce retailers up-to-date about potential security problems. You can now sign up here.
“We are committed to platform security and are taking proactive steps intended to ensure this. In the coming weeks, we will be establishing the Magento Alert Registry to serve as a direct line of communications in future urgent situations, separate from any marketing communications. By being able to connect with both our Community and Enterprise Edition merchants directly via your preferred method – email, text or social – we will be able to more quickly inform you of steps to resolution.”
Magento is by far the most popular eCommerce application in the world. With tens of thousands of users of both the free Magento Community Edition and the premium Magento Enterprise Edition, it’s a juicy target for attackers. Given the nature of the data involved in eCommerce, it’s essential that any vulnerabilities are patched as quickly as possible.
From a technical standpoint, Magento has excelled at patching any vulnerabilities in a reasonable timeframe, but creating patches and making them available for download isn’t enough. It’s also essential that users are made aware that a patch needs to be applied. Otherwise, thousands of store owners could be entirely unaware of the existence of a problem and its fix, leaving them open to attack by online criminals.
The communication problem is a pressing one. The Shoplift vulnerability was patched in February, and the researchers who discovered it went public with details in April. Although Magento had sent out several warning emails via its mailing lists, 60 percent of Magento stores were still unpatched when the researchers made their full disclosure. We could criticize the researchers at Check Point for releasing too early, but in reality they adhered to the letter of the doctrine of responsible disclosure, if not its spirit.
Once a patch is released, it’s reasonable to assume that online criminals will become aware of the vulnerability and act on it. There is a difficult balance to be struck between informing at-risk users and putting them at more risk by publicizing the vulnerability. Magento’s choice to only release information about the vulnerability through private email channels and to not widely publicize the vulnerability and the patch are understandable — the more people know about the vulnerability, the greater the risk to unpatched stores — but ultimately, security by obscurity is not the answer.
By creating a Magento Alert Registry that will allow eCommerce retailers to receive information in a variety of formats, not just easily ignored emails, Magento is ensuring that as many retailers as possible are made aware of vulnerabilities and patches as quickly as possible. The Alert Registry will hopefully mitigate the effect we saw with ShopLift.