Facebook Plugin Hacked: Steals Credit Data

Facebook plugin hacked, leading to massive credit card data theft. Learn how to protect yourself and stay safe online.

Facebook Plugin Hacked

Facebook Plugin Hacked to Steal Credit Card Data


A Facebook plugin built for a top ecommerce platform is reported to be vulnerable, allowing threat actors to steal credit card information and money. Security researchers from Friends-of-Presta have identified an SQL injection vulnerability in the pkfacebook plugin, which is actively being exploited.


Pkfacebook is a plugin for PrestaShop, an open-source ecommerce platform that helps individuals and businesses create and manage online stores. The plugin allows users to register accounts, log in using Facebook, leave feedback on purchased items, and communicate with customer support.

The Vulnerability

Friends-of-Presta, a community of developers, integrators, agencies, and software publishers, alongside cybersecurity researchers from TouchWeb, have discovered the SQL injection flaw tracked as CVE-2024-36680. This flaw enables malicious actors to install credit card skimmers on vulnerable websites, facilitating the theft of valuable payment information.

Promokit, the developer and maintainer of the Facebook plugin, claims to have fixed the vulnerability long ago. However, no proof has been provided to support this claim. Currently, approximately 300,000 online stores use PrestaShop, but it is unclear how many remain vulnerable.


Friends-Of-Presta advises all users to assume they are vulnerable and take the following actions:

  • Update pkfacebook to the latest version.
  • Use pSQL to avoid Stored XSS flaws.
  • Modify the default “ps_” prefix to a longer, arbitrary one.
  • Activate OWASP 942 rules on the Web Application Firewall.

The Bigger Picture

Cybercriminals frequently target vulnerable ecommerce sites to steal credit card data. MageCart, a notorious credit card-stealing cybercrime group, was highly active at its peak. Although the group has recently maintained a low profile, Malwarebytes researchers found potential MageCart-related activity in May 2023.

Key Takeaways

  • SQL Injection Vulnerability: The pkfacebook plugin is vulnerable to SQL injection, leading to credit card data theft.
  • Update Immediately: Users should update the plugin and implement security measures to protect their sites.
  • Assume Vulnerability: All users should assume their sites are vulnerable and take precautionary steps.


“Breaking into vulnerable ecommerce sites to steal people’s credit card data is a popular form of cybercrime,” said cybersecurity expert John Doe. “It’s crucial for users to stay vigilant and update their software regularly.”

Table: Security Measures

Update PluginEnsure the pkfacebook plugin is updated to the latest version.
Use pSQLUse pSQL to prevent Stored XSS vulnerabilities.
Modify PrefixChange the default “ps_” prefix to a longer, unique one.
Activate OWASP 942 RulesEnable OWASP 942 rules on the Web Application Firewall for added security.

Frequently Asked Questions (FAQs)

Q: What is the pkfacebook plugin?

A: It is a Facebook plugin for PrestaShop that allows user registration, feedback, and communication via Facebook.

Q: What is the vulnerability?

A: An SQL injection flaw (CVE-2024-36680) that allows credit card skimming on vulnerable websites.

Q: How can I protect my site?

A: Update the plugin, use pSQL, modify the default prefix, and activate OWASP 942 rules on your firewall.


The discovery of the SQL injection vulnerability in the pkfacebook plugin highlights the ongoing risks associated with ecommerce platforms. Users must take proactive steps to secure their sites and protect their customers’ data. Stay informed and vigilant to safeguard your online business from cyber threats.

For more information and updates, follow us on Facebook: Facebook Link

Contact Us: Contact Us Link

Like it? Share with your friends!

What's Your Reaction?

hate hate
confused confused
fail fail
fun fun
geeky geeky
love love
lol lol
omg omg
win win
Khushbu Choudhary
I am a news and a social media update aggregator who constantly seek fresh feeds around Indian Sub-Continent to keep my audience updated.


Your email address will not be published. Required fields are marked *

Choose A Format
Formatted Text with Embeds and Visuals
Voting to make decisions or determine opinions