Hackers are exploiting a flaw in the premium Facebook module for PrestaShop, named pkfacebook, to deploy a card skimmer on vulnerable e-commerce sites, stealing customers' credit card details.
PrestaShop, an open-source e-commerce platform, is widely used by approximately 300,000 online stores globally as of 2024. Promokit's pkfacebook add-on allows shop visitors to log in using Facebook, leave comments, and communicate with support agents via Messenger. Promokit has over 12,500 sales on the Envato market, though the Facebook module is exclusively sold through the vendor's website, with no available sales data.
The critical flaw, tracked as CVE-2024-36680, is an SQL injection vulnerability in pkfacebook's facebookConnect.php Ajax script. This flaw allows remote attackers to execute SQL injection via HTTP requests. TouchWeb analysts discovered the flaw on March 30, 2024. However, Promokit.eu claimed the flaw was fixed "a long time ago" without providing evidence.
Recently, Friends-of-Presta published a proof-of-concept exploit for CVE-2024-36680, warning of active exploitation in the wild. "This exploit is actively used to deploy a web skimmer to massively steal credit cards," stated Friends-of-Presta. Despite this, the developers have not shared the latest release with Friends-of-Presta to confirm if the flaw was fixed.
Friends-of-Presta recommends the following mitigations:
1. Upgrade to the latest pkfacebook version, which disables multiquery executions, although it does not protect against SQL injection using the UNION clause.
2. Ensure pSQL is used to avoid stored XSS vulnerabilities, as it includes a strip_tags function for added security.
3. Change the default "ps_" prefix to a longer, arbitrary one to enhance security, although this measure is not foolproof against highly skilled attackers.
4. Activate OWASP 942 rules on the Web Application Firewall (WAF).
NVD's listing for CVE-2024-36680 indicates that all versions from 1.0.1 and older are vulnerable. The latest version listed on Promokit's site is 1.0.0, leaving the patch availability status unclear.
Hackers closely monitor for SQL injection flaws affecting webshop platforms, as these can be used to gain administrative privileges, access or modify site data, extract database contents, and rewrite SMTP settings to hijack emails.
About two years ago, PrestaShop issued an urgent warning and hotfix against attacks targeting modules vulnerable to SQL injection to achieve code execution on targeted sites.