Credit Card Data Theft via Exploitation of PrestaShop’s Facebook Module

June 23, 2024

Cybercriminals are taking advantage of a weakness in a high-end Facebook module for PrestaShop, named pkfacebook. This flaw is being used to introduce a card skimmer into vulnerable e-commerce websites, leading to the theft of individuals' credit card information. PrestaShop is a platform that enables the creation and management of online stores, and as of 2024, it is being used by nearly 300,000 online stores around the world.

The pkfacebook add-on, developed by Promokit, provides a feature for visitors to log in via their Facebook accounts, post comments on the shop's pages, and communicate with support agents using Messenger. Promokit has made over 12,500 sales on the Envato market, but the Facebook module is exclusively sold through the vendor's website, and no details on sales numbers are available.

The severe flaw, identified as CVE-2024-36680, is an SQL injection vulnerability in pkfacebook's facebookConnect.php Ajax script. This allows remote attackers to initiate SQL injection using HTTP requests. TouchWeb analysts discovered this flaw on March 30, 2024, but Promokit.eu claimed that the flaw was rectified "a long time ago," without providing any evidence.

Friends-of-Presta, earlier this week, published a proof-of-concept exploit for CVE-2024-36680 and warned about active exploitation of the bug. "This exploit is actively used to deploy a web skimmer to massively steal credit cards," says Friends-Of-Presta. Regrettably, the developers have not provided the latest release to Friends-of-Presta to verify if the flaw has been fixed. Friends-Of-Presta suggests that all versions should be considered potentially impacted.

NVD's listing for CVE-2024-36680 determines all versions from 1.0.1 and older to be vulnerable. However, the most recent version listed on Promokit's site is 1.0.0, which makes the patch availability status ambiguous. Cybercriminals closely watch for SQL injection flaws affecting e-commerce platforms, as these can be used to gain administrative privileges, access or modify site data, extract database contents, and rewrite SMTP settings to hijack emails.

About two years ago, PrestaShop issued an urgent warning and hotfix against attacks targeting modules susceptible to SQL injection, which could lead to code execution on targeted sites.

Latest News

• Cyber Espionage Campaign RedJuliett Targets 75 Taiwanese Entities
• ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities
• CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites
• Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability
• Security Flaw in Phoenix SecureCore UEFI Affecting Multiple Intel CPUs Unveiled