Hackers are exploiting a flaw in a premium Fb module for PrestaShop named pkfacebook to deploy a card skimmer on weak e-commerce websites and steal folks’s fee bank card particulars.
PrestaShop is an open-source e-commerce platform that permits people and companies to create and handle on-line shops. As of 2024, it’s utilized by roughly 300,000 on-line shops worldwide.
Promokit’s pkfacebook add-on is a module that permits store guests to log in utilizing their Fb accounts, go away feedback underneath the store’s pages, and talk with help brokers utilizing Messenger.
Promokit has over 12,500 gross sales on the Envato market, however the Fb module is barely offered by way of the seller’s web site, and no gross sales quantity particulars can be found.
The crucial flaw, tracked as CVE-2024-36680, is an SQL injection vulnerability in pkfacebook’s facebookConnect.php Ajax script, permitting distant attackers to set off SQL injection utilizing HTTP requests.
Analysts at TouchWeb found the flaw on March 30, 2024, however Promokit.eu mentioned the flaw was fastened “a very long time in the past,” with out offering any proof.
Earlier this week, Associates-of-Presta revealed a proof-of-concept exploit for CVE-2024-36680 and warned that they’re seeing energetic exploitation of the bug within the wild.
“This exploit is actively used to deploy an internet skimmer to massively steal bank cards,” says Associates-Of-Presta.
Sadly, the builders haven’t shared the newest launch with Associates-of-Presta to verify if the flaw was fastened.
Associates-Of-Presta notes that every one variations ought to be thought-about as doubtlessly impacted and recommends the next mitigations:
- Improve to the newest pkfacebook model, which disables multiquery executions, even when it doesn’t shield towards SQL injection utilizing the UNION clause.
- Guarantee pSQL is used to keep away from Saved XSS vulnerabilities, because it features a strip_tags operate for added security.
- Modify the default “ps_” prefix to an extended, arbitrary one to enhance security, although this measure shouldn’t be foolproof towards extremely expert attackers.
- Activate OWASP 942 guidelines on the Net Utility Firewall (WAF).
NVD’s itemizing for CVE-2024-36680 determines all variations from 1.0.1 and older to be weak. Nevertheless, the newest model listed on Promokit’s web site is 1.0.0, so the patch availability standing is unclear.
Hackers intently monitor for SQL injection flaws impacting webshop platforms, as these can be utilized to acquire administrative privileges, entry or modify knowledge on the location, extract database contents, and rewrite SMTP settings to hijack emails.
Roughly two years again, PrestaShop issued an pressing warning and hotfix towards assaults concentrating on modules weak to SQL injection to realize code execution on focused websites.
