Prestashop security alert. Is TB affected?

[Ian Ashton]

Had this in an email from Prestashop. 
Is it an issue for Thirtybees?

<——————————————————————-
We have recently identified a security threat affecting some online stores within the PrestaShop ecosystem. A malicious script (“digital skimmer”) has been detected and may have led to the theft of customers’ payment information.

This malware operates by replacing the legitimate payment buttons on the checkout page with fraudulent ones. When a customer clicks on one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their bank card details.

At this stage, we strongly recommend that you contact your PrestaShop expert agency or PrestaShop Support as soon as possible to perform a thorough security check of your store and ensure it has not been compromised.

 

[wakabayashi]

Is this all information they gave? No technical details?

[Ian Ashton]

They posted a link as well 

You can also check this page for further details on the situation.

 

 

[datakick]

They didn't disclose attack vector - we don't know how those shops were infected with this malware. Without that information we can't really say if thirty bees is affected or not.

 

[Yabber]

The standard procedure in Prestashop is to release beta versions with thousands of bugs and security vulnerabilities for download as stable versions, and then fix these bugs in dozens of subversions. If stores do not update the engine and modules, they get hacked. There was a security vulnerability in PS 9.0.2, which was patched in the latest version 9.0.3. The basic order completion module “ps_checkout” used since PS 1.7 also had a vulnerability

Here are all the security vulnerabilities detected in Prestashop and its modules: https://security.friendsofpresta.org/ 

[x97wehner]

They do outline the script code to look for. I just searched my website via f12 and then looked through the website code via MS Code and didn't find this expression anywhere, so I assume that I am not affected. "

<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob"

 

[datakick]

14 hours ago, x97wehner said:

They do outline the script code to look for. I just searched my website via f12 and then looked through the website code via MS Code and didn't find this expression anywhere, so I assume that I am not affected. "

<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob"

 

Yes, if this code exists in your tpl files, it means your store is already infected. But the fact that it isn't present doesn't mean your store is not vulnerable to this attack. 

We don't know about any vulnerability in the core that would allow attacker to modify/write to tpl files. We regularly check CVE database for prestashop vulnerabilities, and look for those that are relevant to ps16 codebase (so they are relevant to us, most likely). Again, that doesn't mean that they don't exists, we just don't know about any at the moment. But there were some that we have fixed in the past - running very old thirty bees versions is not encouraged.

Most of the time the culprits are third party modules, usually those that allow uploading files (images usually) and do not properly sanitise inputs. That may allow attacker to upload php files instead of image, and then they have complete access to your entire store. 

Thankfully, you can use core updater module to check if any of the core files have been modified. If your store is infected, you will see it there as well.

If your store is infected, it's not enough to just remove the infection. You need to find out the back door that was used to install the infection. That can be quite hard. Your server access logs can help a lot, so keep a few months of them if you can.

[theMerchantDev]

3 hours ago, datakick said:

keep a few months of them if you can.

And check every day.

[datakick]

23 minutes ago, theMerchantDev said:

And check every day.

with a busy store that's quite hard to do, though. We have an installation with average of 1M daily requests, that's hard to comb though manually. You can install some software to detect anomalies, but that's it.

When you find an infection on your store, you know from the file modification date when it happen (unless the script changed it, but in my experience they rarely do), so that can help a lot. You just need to detect it and still have access logs