Online Shopping Cart Software Vulnerable: German BSI Report
See Also: OnDemand | Navigating the Difficulties of Patching OT
The Federal Office for Information Security – better known by its German acronym, BSI – said that it examined third-party web shop systems out of concern about the large amount of sensitive consumer data processed by online shops.
Germany has one of the largest e-commerce markets in Europe. About 8 in 10 residents spend money in online shops, creating a market that was worth $127.5 billion during 2021.
That number has only grown since, given that Germans used online shopping even more during the novel coronavirus epidemic. BSI estimates that 90% of individuals with internet access at least occasionally shop online, typically from a smartphone.
For a study published Monday, BSI officials examined 10 e-commerce checkout platforms including Magento, Zen Cart and PrestaShop.
German officials say all 10 platforms shared the low-level vulnerability of potentially transmitting sensitive information from form fields to third parties through the use of autocomplete. Nine in 10 didn’t require users to use strong passwords – a vulnerability BSI classified as medium risk.
An unidentified number of platforms used software that had passed its end-of-life date, meaning that new bugs don’t receive official patches. Researchers found one site that was vulnerable to cross-site request forgery and three that were at risk of cross-site scripting.
In a survey BSI conducted, about one-quarter of respondents reported “negative experiences with regard to data security” while shopping online.
BSI assesses that Germany’s cyberspace is experiencing mounting levels of cybercrime. The agency’s temporary head, Gerhard Schabhüser, used the study results to urge e-commerce platforms to improve their security. “Software manufacturers must carry out regular vulnerability analysis during the product development phase itself,” he said.