Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal people’s payment credit card details.
PrestaShop is an open-source e-commerce platform that allows individuals and businesses to create and manage online stores. As of 2024, it is used by approximately 300,000 online stores worldwide.
Promokit’s pkfacebook add-on is a module that allows shop visitors to log in using their Facebook accounts, leave comments under the shop’s pages, and communicate with support agents using Messenger.
Promokit has over 12,500 sales on the Envato market, but the Facebook module is only sold through the vendor’s website, and no sales number details are available.
The critical flaw, tracked as CVE-2024-36680, is an SQL injection vulnerability in pkfacebook’s facebookConnect.php Ajax script, allowing remote attackers to trigger SQL injection using HTTP requests.
Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed “a long time ago,” without providing any proof.
Earlier this week, Friends-of-Presta published a proof-of-concept exploit for CVE-2024-36680 and warned that they are seeing active exploitation of the bug in the wild.
“This exploit is actively used to deploy a web skimmer to massively steal credit cards,” says Friends-Of-Presta.
Unfortunately, the developers have not shared the latest release with Friends-of-Presta to confirm if the flaw was fixed.
Friends-Of-Presta notes that all versions should be considered as potentially impacted and recommends the following mitigations:
- Upgrade to the latest pkfacebook version, which disables multiquery executions, even if it does not protect against SQL injection using the UNION clause.
- Ensure pSQL is used to avoid Stored XSS vulnerabilities, as it includes a strip_tags function for added security.
- Modify the default “ps_” prefix to a longer, arbitrary one to improve security, though this measure is not foolproof against highly skilled attackers.
- Activate OWASP 942 rules on the Web Application Firewall (WAF).
NVD’s listing for CVE-2024-36680 determines all versions from 1.0.1 and older to be vulnerable. However, the latest version listed on Promokit’s site is 1.0.0, so the patch availability status is unclear.
Hackers closely monitor for SQL injection flaws impacting webshop platforms, as those can be used to obtain administrative privileges, access or modify data on the site, extract database contents, and rewrite SMTP settings to hijack emails.
Roughly two years back, PrestaShop issued an urgent warning and hotfix against attacks targeting modules vulnerable to SQL injection to achieve code execution on targeted sites.