PrestaShop revealed on Friday that malicious actors are exploiting “known and unknown vulnerabilities” in older versions of its software to hack websites, and potentially steal customers’ payment data.
“To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities,” PrestaShop stated. “We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.”
PrestaShop said it is fixing a previously unknown vulnerability that was discovered while investigating this breach. However, the company noted that it is uncertain this is the only way the hackers can exploit its software.
PrestaShop is a free, open-source e-commerce solution that allows users to set up and manage online stores. It provides secure payment solutions and other services such as performance analysis and web marketing. According to PrestaShop, nearly 300,000 online stores use its software, and it has a strong presence in Europe and South America.
What We Know About the PrestaShop Breach
PrestaShop said sites on running older versions of its software are at risk of being injected with malicious code. These sites are subject to SQL injection vulnerabilities, the company explained, which allows attackers to make changes to or steal data from them.
SQL is a programming language that most websites use to manage databases. Attackers send malicious SQL queries through vulnerable endpoints to breach websites. An attacker can use this vulnerability to gain administrator privileges—allowing them to access, send, or even destroy stored information.
SQL injection vulnerabilities can plague even the largest organizations. Last year, Zoho Corp revealed that its ManageEngine OpManager tool had an SQL injection vulnerability.
“To the best of our understanding, this issue seems to concern shops based on versions 22.214.171.124 or greater…” PrestaShop said. “Versions 126.96.36.199 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.”
Attackers Added Fake Payment Form at Checkout to Steal Data
Based on information from “shop owners and developers,” PrestaShop said it appears the hackers usually input malicious codes to create a new file on a website’s database, giving them the ability to execute arbitrary instructions.
With this privilege, they would add a fake payment form on the website’s checkout page. Any payment data, such as credit card information, that customers enter into this form is sent to the attackers.
PrestaShop added that this was the most “common pattern” of attack, but the hackers may be taking advantage of users in other ways. There are other ways the hackers could exploit the beach, including “placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.”
PrestaShop’s Recommendations to Users
PrestaShop recommends that users make sure their shop and modules are running on the latest version of its software.
The company also advised clients to disable the MySQL Smarty cache storage feature in the PrestaShop code. According to PrestaShop, this “rarely used” feature is disabled by default, however, hackers can enable it remotely. Disabling it would “break the attack chain.”
PrestaShop said it is working on a patch to fix the vulnerability associated with this feature.
Check out PrestaShop’s statement for further details, such as locating the MySQL Smarty cache file. PrestaShop recommends that clients reach out to a specialist to conduct a full audit of their website.