Vulnerability name: CSRF (Cross-Site Request Forgery) in the “Delete Account”
Affected Prestashop versions: v1.6.0.4 – v1.7.6.0
Vulnerable Version: <3.7.8
Patched version: 3.7.8
Vulnerability Reported: 20th June 2019
Vulnerability Patched: 25th June 2019
While performing a security audit on one of our Prestashop clients at Astra, I found a critical CSRF (Cross-Site Request Forgery) vulnerability in PrestaShop module, Data Privacy Extended (developed by Innovadeluxe). It currently has more than 2500 active installations. Due to this vulnerability, an unauthenticated user could delete the account of an authenticated PrestaShop user by tricking him into opening malicious links on the web.
As a concerned and responsible security company, Astra reported the vulnerability to the developers without delay. Developers of Innovadeluxe were quick to respond and prompt in their action. They patched the vulnerability and released the updated version 3.7.8 on 25th June 2019.
Vulnerability details:
Data Privacy Extended module is known to make PrestaShop websites more aligned with the GDPR. It has features like Privacy consent required in the newsletter subscription form, contact form, register form, etc. Plus, it also allows its customers to delete their accounts if there are not proper invoices for placed orders.
So, the delete account URL/API endpoint was vulnerable to CSRF (Cross Site Request Forgery), which would allow a hacker to trick a logged in user to delete his/her PrestaShop account just by visiting a malicious URL/visit a web page.
Technical details:
Here is a proof of concept that depicts how the vulnerability could have been exploited,
What you can do:
CSRF attacks are scary; they let an attacker get hold of sensitive information of your website like credit card details, confidential databases, admin account, etc. But, being prepared in beforehand can help you deflect such attempts on your website. Following are a few ways you can protect your website:
1) Update to the latest version
The plugin developers have updated and released the patched version on Prestashop. If you have not moved to the updated and safer version (3.7.8) yet update now. In addition to this, if you are using an outdated version of the CMS, update that too.
2) Invest in a firewall
A firewall leverages a protective layer on your website. Investing in a good web application firewall can give you increased security, lesser problems, basically high return on the investment. One such premium firewall is the Astra Firewall.
It blocks CSRF, SQLi, XSS, bad bots, OWASP TOP 10 and 100+ other coming threats on your website. A firewall also provides a continuous & comprehensive monitoring system for your website.
Click here to protect your website.
It blocks CSRF, SQLi, XSS, bad bots, OWASP TOP 10 and 100+ other coming threats on your website. A firewall also provides a continuous & comprehensive monitoring system for your website.
Click here to protect your website.