Hackers are exploiting a flaw in a premium Fb module for PrestaShop named pkfacebook to deploy a card skimmer on susceptible e-commerce websites and steal folks’s fee bank card particulars.
PrestaShop is an open-source e-commerce platform that permits people and companies to create and handle on-line shops. As of 2024, it’s utilized by roughly 300,000 on-line shops worldwide.
Promokit’s pkfacebook add-on is a module that permits store guests to log in utilizing their Fb accounts, depart feedback below the store’s pages, and talk with help brokers utilizing Messenger.
Promokit has over 12,500 gross sales on the Envato market, however the Fb module is simply bought by the seller’s web site, and no gross sales quantity particulars can be found.
The essential flaw, tracked as CVE-2024-36680, is an SQL injection vulnerability in pkfacebook’s facebookConnect.php Ajax script, permitting distant attackers to set off SQL injection utilizing HTTP requests.
Analysts at TouchWeb found the flaw on March 30, 2024, however Promokit.eu stated the flaw was mounted “a very long time in the past,” with out offering any proof.
Earlier this week, Associates-of-Presta printed a proof-of-concept exploit for CVE-2024-36680 and warned that they’re seeing energetic exploitation of the bug within the wild.
“This exploit is actively used to deploy an internet skimmer to massively steal bank cards,” says Associates-Of-Presta.
Sadly, the builders haven’t shared the newest launch with Associates-of-Presta to substantiate if the flaw was mounted.
Associates-Of-Presta notes that every one variations needs to be thought-about as doubtlessly impacted and recommends the next mitigations:
- Improve to the newest pkfacebook model, which disables multiquery executions, even when it doesn’t shield in opposition to SQL injection utilizing the UNION clause.
- Guarantee pSQL is used to keep away from Saved XSS vulnerabilities, because it features a strip_tags operate for added safety.
- Modify the default “ps_” prefix to an extended, arbitrary one to enhance safety, although this measure just isn’t foolproof in opposition to extremely expert attackers.
- Activate OWASP 942 guidelines on the Internet Software Firewall (WAF).
NVD’s itemizing for CVE-2024-36680 determines all variations from 1.0.1 and older to be susceptible. Nevertheless, the newest model listed on Promokit’s website is 1.0.0, so the patch availability standing is unclear.
Hackers intently monitor for SQL injection flaws impacting webshop platforms, as these can be utilized to acquire administrative privileges, entry or modify knowledge on the positioning, extract database contents, and rewrite SMTP settings to hijack emails.
Roughly two years again, PrestaShop issued an pressing warning and hotfix in opposition to assaults concentrating on modules susceptible to SQL injection to realize code execution on focused websites.