close
close

Facebook PrestaShop module used to steal credit cards

Posted on by darion

Hackers are exploiting a vulnerability in Facebook’s premium module for PrestaShop called pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal users’ credit card information.

PrestaShop is an open source e-commerce platform that enables individuals and businesses to create and manage online stores. As of 2024, it is used by approximately 300,000 online stores around the world.


Promokit’s pkfacebook add-on is a module that allows store visitors to log in using their Facebook account, leave comments on store pages, and communicate with support agents via Messenger.

Promokit has over 12,500 sales on the Envato marketplace, but the Facebook module is only sold through the vendor’s website and no sales number details are available.

The critical vulnerability, identified as CVE-2024-36680, is a SQL injection vulnerability in pkfacebook’s facebookConnect.php Ajax script that allows remote attackers to trigger SQL injection via HTTP requests.

TouchWeb analysts discovered the vulnerability on March 30, 2024, but Promokit.eu said the flaw was fixed “a long time ago,” without providing any evidence.

Earlier this week, Friends-of-Presta released a proof-of-concept exploit for CVE-2024-36680 and warned that it is observing active exploitation of this bug in the wild.

“This exploit is being actively used to deploy a web skimmer to steal credit cards en masse,” says Friends-Of-Presta.

Unfortunately, the developers have not released the latest version of Friends-of-Presta to confirm whether the bug has been fixed.

Friends-Of-Presta notes that all versions should be considered potentially affected and recommends the following solutions:

  • Update to the latest version of pkfacebook which disables multi-query even though it does not protect against SQL injection using the UNION clause.
  • Make sure to use pSQL to avoid stored XSS vulnerabilities as it includes the strip_tags function for additional security.
  • Modify the default “ps_” prefix to a longer, arbitrary one to improve security, although this measure is not foolproof against highly skilled attackers.
  • Activate OWASP rules 942 in the Web Application Firewall (WAF).

The NVD listing for CVE-2024-36680 specifies that all versions from 1.0.1 and earlier are vulnerable. However, the latest version listed on the Promokit website is 1.0.0, so the availability status of the patch is unclear.

Hackers are closely monitoring SQL injection vulnerabilities affecting online shopping platforms because they can be exploited to gain administrative privileges, access or modify site data, extract database contents, and rewrite SMTP settings to compromise emails.

About two years ago, PrestaShop issued an urgent warning and fix regarding attacks targeting modules vulnerable to SQL injection to execute code on targeted sites.