Plugin Exploit

PrestaShop Addon – “Data Privacy Extended (ver<3.7.8)" Vulnerable to CSRF

Updated on: March 29, 2020

PrestaShop Addon – “Data Privacy Extended (ver<3.7.8)
Vulnerability name: CSRF (Cross-Site Request Forgery) in the “Delete Account”
Affected Prestashop versions: v1.6.0.4 – v1.7.6.0
Vulnerable Version: <3.7.8
Patched version: 3.7.8
Vulnerability Reported: 20th June 2019
Vulnerability Patched: 25th June 2019
While performing a security audit on one of our Prestashop clients at Astra, I found a critical CSRF (Cross-Site Request Forgery) vulnerability in PrestaShop module, Data Privacy Extended (developed by Innovadeluxe). It currently has more than 2500 active installations. Due to this vulnerability, an unauthenticated user could delete the account of an authenticated PrestaShop user by tricking him into opening malicious links on the web.

 

As a concerned and responsible security company, Astra reported the vulnerability to the developers without delay. Developers of Innovadeluxe were quick to respond and prompt in their action. They patched the vulnerability and released the updated version 3.7.8 on 25th June 2019.

Vulnerability details:

Data Privacy Extended module is known to make PrestaShop websites more aligned with the GDPR. It has features like Privacy consent required in the newsletter subscription form, contact form, register form, etc. Plus, it also allows its customers to delete their accounts if there are not proper invoices for placed orders.
So, the delete account URL/API endpoint was vulnerable to CSRF (Cross Site Request Forgery), which would allow a hacker to trick a logged in user to delete his/her PrestaShop account just by visiting a malicious URL/visit a web page.

Technical details:

Here is a proof of concept that depicts how the vulnerability could have been exploited,

 

What you can do:

CSRF attacks are scary; they let an attacker get hold of sensitive information of your website like credit card details, confidential databases, admin account, etc. But, being prepared in beforehand can help you deflect such attempts on your website. Following are a few ways you can protect your website:

1) Update to the latest version

The plugin developers have updated and released the patched version on Prestashop. If you have not moved to the updated and safer version (3.7.8) yet update now. In addition to this, if you are using an outdated version of the CMS, update that too.

2) Invest in a firewall

A firewall leverages a protective layer on your website. Investing in a good web application firewall can give you increased security, lesser problems, basically high return on the investment. One such premium firewall is the Astra Firewall.

It blocks CSRF, SQLi, XSS, bad bots, OWASP TOP 10 and 100+ other coming threats on your website. A firewall also provides a continuous & comprehensive monitoring system for your website.

Click here to protect your website.

Was this post helpful?

Moksh Gupta

I'm a Security Researcher & also an aspiring Digital Marketer. I spend my time doing BugBounty hunting and also learning new things in the area of Digital Marketing. I also make videos and write on my blog about cybersecurity and my new findings. Also, if you want to learn hacking then do check out my Blog and my profile to know more!
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany