Check Point’s malware and vulnerability research group has discovered a critical remote code execution vulnerability in eBay’s Magento web e-commerce platform in February, impacting 200,000 online shops.

A patch to address the flaw was released on February 9. Despite this, many sites remain unpatched. Store owners and administrators are urged to apply the patch immediately.

If exploited, the vulnerability, otherwise known as a shoplift bug, gives the attacker the ability to compromise any online store on the Magento platform, including credit card information and other customer financial and personal data.

The vulnerability allows any attacker to bypass security mechanisms and gain control of the store and its complete database, allowing credit card theft or any other administrative access into the system.

“As online shopping continues to overpower instore shopping, e-commerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said malware and vulnerability research manager at Check Point Software Technologies, Shahar Tal.

“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores, which represents about 30 per cent of the e-commerce market.”

Magento’s patch is not rolled into the downloadable versions of Magento Community and Enterprise Edition and has to be applied separately. In addition, the patch is not pushed out automatically, necessitating users log in to download it.