Facebook ecommerce plugin used by thousands of stores hacked to steal credit card data
![](https://cdn.shortpixel.ai/spai/q_lossy+ret_img+to_auto/www.wilsonsmedia.com/wp-content/uploads/2024/06/facebook-ecommerce-plugin-used-by-thousands-of-stores-hacked-to-steal-credit-card-data.jpg)
![](https://cdn.shortpixel.ai/spai/q_lossy+ret_img+to_auto/i0.wp.com/cdn.mos.cms.futurecdn.net/uKXZL3qgJyQRYu26KhMxd6-1200-80.jpg?w=640&ssl=1)
A Facebook plugin built for a top ecommerce platform is said to be vulnerable in a way that allows threat actors to steal people’s credit card information, and ultimately – money.
Security researchers from Friends-of-Presta have warned of an SQL injection vulnerability in pkfacebook, claiming they observed the flaw being abused in the wild.
Pkfacebook is a plugin for PrestaShop, an open source ecommerce platform that enables individuals and businesses to create and manage their online stores. This plugin allows people to register their accounts and log in, using Facebook, leave feedback on bought items, and communicate with customer support.
Assume everyone’s vulnerable
Friends-of-Presta is a community of developers, integrators, agencies, and software publishers. As per their findings, as well as those from cybersecurity researchers TouchWeb, the SQL injection flaw is tracked as CVE-2024-36680. It is being abused by malicious actors to install credit card skimmers on vulnerable websites, allowing them to steal valuable payment information.
Promokit, the company that develops and maintains the Facebook plugin, says it fixed it “long ago” but, as BleepingComputer finds, provided no proof for their claims. Right now, some 300,000 online stores are using PrestaShop, but it is impossible to determine how many are vulnerable right now.
Friends-Of-Presta believes all users should consider themselves vulnerable, and should do the following:
Update pkfacebook, make sure they use pSQL to avoid Stored XSS flaws, modify the default “ps_” prefix to a longer, arbitrary one, and activate OWASP 942 rules on the Web Application Firewall.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Breaking into vulnerable ecommerce sites to steal people’s credit card data is a popular form of cybercrime. MageCart was, at peak, by far the most popular and disruptive credit card-stealing cybercrime group out there. While lately the group has been successfully keeping a low profile, security researchers from Malwarebytes found activity that could be linked to the group, back in May 2023.
More from TechRadar Pro
A Facebook plugin built for a top ecommerce platform is said to be vulnerable in a way that allows threat actors to steal people’s credit card information, and ultimately – money. Security researchers from Friends-of-Presta have warned of an SQL injection vulnerability in pkfacebook, claiming they observed the flaw being…
Recent Posts
- Apple says no to PC emulators on iOS
- Forget waiting for Inside Out 2 on Disney Plus, Apple TV Plus’ WondLa is the animated adventure you need to watch first
- Rumored Apple and Meta collaboration might make the iPhone 16 a better AI phone
- Valve is selling the 512GB LCD Steam Deck for less than $400
- Facebook ecommerce plugin used by thousands of stores hacked to steal credit card data
Archives
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011