Facebook ecommerce plugin used by thousands of stores hacked to steal credit card data

 Credit card information for sale.
Credit: Shutterstock

A Facebook plugin built for a top ecommerce platform is said to be vulnerable in a way that allows threat actors to steal people’s credit card information, and ultimately - money.

Security researchers from Friends-of-Presta have warned of an SQL injection vulnerability in pkfacebook, claiming they observed the flaw being abused in the wild.

Pkfacebook is a plugin for PrestaShop, an open source ecommerce platform that enables individuals and businesses to create and manage their online stores. This plugin allows people to register their accounts and log in, using Facebook, leave feedback on bought items, and communicate with customer support.

Assume everyone's vulnerable

Friends-of-Presta is a community of developers, integrators, agencies, and software publishers. As per their findings, as well as those from cybersecurity researchers TouchWeb, the SQL injection flaw is tracked as CVE-2024-36680. It is being abused by malicious actors to install credit card skimmers on vulnerable websites, allowing them to steal valuable payment information.

Promokit, the company that develops and maintains the Facebook plugin, says it fixed it “long ago” but, as BleepingComputer finds, provided no proof for their claims. Right now, some 300,000 online stores are using PrestaShop, but it is impossible to determine how many are vulnerable right now.

Friends-Of-Presta believes all users should consider themselves vulnerable, and should do the following:

Update pkfacebook, make sure they use pSQL to avoid Stored XSS flaws, modify the default “ps_” prefix to a longer, arbitrary one, and activate OWASP 942 rules on the Web Application Firewall.

Breaking into vulnerable ecommerce sites to steal people’s credit card data is a popular form of cybercrime. MageCart was, at peak, by far the most popular and disruptive credit card-stealing cybercrime group out there. While lately the group has been successfully keeping a low profile, security researchers from Malwarebytes found activity that could be linked to the group, back in May 2023.

More from TechRadar Pro