Much of the current ecommerce ecosystem will run on unsupported software from June 2020 next year when the Magento 1.x branch is expected to reach End of Life (EOL) and will no longer receive security updates.
The number of impacted online shops is currently estimated between 200,000 and 240,000, according to various statistical sources.
Owners of these online stores will need to migrate to the latest version of Magento, the 2.x branch, where they can still receive regular security patches.
Store owners who don’t run the risk of having their sites hacked and infected with code that steals customers’ payment information. This is a fairly plausible scenario against the backdrop of an increase in the number of web skimming attacks (Magecart).
Most Magento stores today use 1.x, not 2.x
Magento is by far the most popular technology for hosting an online store. It was launched in 2007 and quickly rose through the ranks with superior features and customization options.
In 2015, Magento 2.0 was released, an upgrade that was a complete rewrite and architectural overhaul of the previous version.
Due to the large number of breaking changes between the two versions, many store owners did not upgrade to the new 2.x branch, choosing to stay on the old version and avoid crashes or extended downtime – this is a fairly common practice in the webdev community.
This is why even today the use of the 1.x branch eclipses the 2.x version, although the new version is both technically and functionally superior to the old one.
Statistics collected by HostingTribunal in February 2019 found over 250,000 online stores using Magento, of which only 11,000 were running the new version 2.x.
When Adobe announced the end of support for Magento 1.x last year in September, it estimated the number of existing Magento 2.x stores to be around 30,000, with 8,000 new stores added each quarter.
The BuiltWith web statistics site currently estimates the total number of Magento installs (including cloud-hosted versions) at around 270,000.
All of these statistics, although they do not provide the exact number of Magento 1.x sites, they show that the vast majority of Magento stores do not run the latest branch and are still using software that is soon to be obsolete.
Magecart, Magecart, Magecart
“It’s no secret that an unsupported CMS will develop vulnerabilities,” Art Martori, security researcher for the security division of GoDaddy Sucuri’s website, said today in a blog post.
“Ultimately these lead to a compromised website – which cripples any e-commerce business,” he said.
The greatest danger to these sites comes from the so-called Magecart gangs – online hacker groups that use vulnerabilities in online stores to take over stores and factory code that records payment card details, which they then sell to other cybercrime groups.
Since their inception in 2015, Magecart attacks (web skimming or e-skimming) have mainly focused on Magento stores, due to the popularity of the software.
While Adobe’s cloud-based Magento hosting platform is usually updated with the latest fixes, Magento’s self-hosted installations are not, and this is where the bulk of releases are. 1.x are currently installed.
All of these sites present an attractive attack surface as they are today. Once Magento 1.x is end of life in June 2020, they will be even more attractive to hackers, who will focus more of their efforts on finding bugs in the 1.x branch, knowing that the Magento team will not be not there to correct them.
If Magento store owners hope Adobe will push the end of life back another year or two, they won’t come true. Adobe originally wanted to use EOL Magento 1.x on November 17, 2018. Store owners are already living on Adobe’s borrowed time.