Facebook PrestaShop mod used to steal credit cards

Hackers are exploiting a flaw in PrestaShop's advanced Facebook module called pkfacebook to deploy card skimmers on vulnerable e-commerce sites and steal people's payment credit card details.

PrestaShop is an open source e-commerce platform that allows individuals and businesses to build and manage online stores. As of 2024, it is used by approximately 300,000 online stores worldwide.

Promokit's pkfacebook plugin is a module that allows store visitors to log in with a Facebook account, leave comments on the store page, and communicate with support agents using Messenger.

Promokit has sold more than 12,500 units on the Envato marketplace, but the Facebook module is only sold through the supplier's website, and there is no sales quantity details.

This critical flaw (numbered CVE-2024-36680) is a SQL injection vulnerability in the facebookConnect.php Ajax script of pkfacebook, which allows remote attackers to trigger SQL injection using HTTP requests.

Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed “long ago” without providing any evidence.

Earlier this week, Friends-of-Presta published a proof-of-concept vulnerability for CVE-2024-36680 and warned that they had discovered that the vulnerability was being actively exploited.

“This vulnerability is being actively exploited to deploy web browsers to steal credit cards at scale,” Friends-Of-Presta said.

Unfortunately, the developer has yet to share the latest build with Friends-of-Presta to confirm whether the flaw has been fixed.

Friends-Of-Presta notes that all builds should be considered potentially affected and recommends the following mitigations:

  • Upgrade to the latest pkfacebook version, which disables multi-query execution even though it does not prevent SQL injection using the UNION clause.
  • Make sure to use pSQL to avoid stored XSS vulnerabilities as it includes the strip_tags function for enhanced security.
  • Modify the default “ps_” prefix to an arbitrary longer prefix to improve security, although this measure is not foolproof against highly skilled attackers.
  • Enable the OWASP 942 rule on the Web Application Firewall (WAF).

NVD's CVE-2024-36680 listing determined that all versions 1.0.1 and earlier are vulnerable. However, the latest version listed on the Promokit website is 1.0.0, so the patch availability status is unclear.

Hackers closely monitor SQL injection flaws affecting online store platforms because they can be used to gain administrative privileges, access or modify data on a website, extract database contents, and override SMTP settings to hijack emails.

About two years ago, PrestaShop issued an emergency warning and patch for modules that were vulnerable to SQL injection attacks, enabling code execution on targeted websites.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *