The plugin also comes with support for chat transcripts and makes it easy to set up auto-replies and FAQs outside working hours to provide visitors with helpful information while the site owner can’t reply.
Man in the middle of your site’s chat
In a report published today by Wordfence’s Threat Intelligence team, threat analyst Chloe Chamberland says that the high severity authenticated options change vulnerability with a 7.4 CVSS base score rating was discovered on June 26, 2020.
Facebook’s security team addressed the flaw with the release of version 1.6 on July 28, roughly a month after they responded to Wordfence’s initial report.
On websites running a vulnerable version of the Official Facebook Chat Plugin, low-level authenticated attackers can “connect their own Facebook Messenger account [..] and engage in chats with site visitors[..].”
To connect the chat pop-up with the owner’s Facebook page, the plugin uses the wp_ajax_update_options AJAX action which, in unpatched versions, did not check if page connection requests came from authenticated website admins.
“This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account,” Chamberland explains.
“As a result, attackers could link their own Facebook Page Messenger account, by updating the page ID, to any given site running the plugin as long as they were able to register on the site and access the /wp-admin dashboard.”
After successfully linking their own Facebook page to the targeted site’s chat, attackers receive any messages sent through the site’s Messenger Chat, with the site owner no longer receiving any incoming messages.
“Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information,” Chamberland adds.
Attackers could also use their access to compromised sites’ chats to ruin the sites’ reputation through toxic interaction with their visitors or to cause loss of revenue by “driving traffic to the competitors business.”
Over 50,000 sites still exposed to attacks
Even though Facebook Chat Plugin version 1.6, the release that addresses this vulnerability was published on July 28, the plugin was downloaded only 25,657 times since then based on historic download data provided by WordPress’ portal, this being the total number of both updates and new installs.
This means that at least 54,000 WordPress sites with active Messenger Chat pop-ups are still left exposed to attacks designed to exploit this flaw as part of future hacking campaigns.
Facebook Chat Plugin users are strongly recommended to update their plugin to version 1.6 as soon as possible to block attacks designed to hijack their sites’ chat as part of social engineering schemes.
Yesterday, Wordfence also reported reflected Cross-Site Scripting (XSS) and PHP Object Injection vulnerabilities found in the Newsletter WordPress plugin that can let hackers inject backdoors, create rogue admins, and potentially take over affected sites.
Wordfence also found a critical bug in Google’s official WordPress plugin with 300,000 installations that could allow attackers to gain owner access to targeted sites’ Google Search Console and facilitate black hat SEO campaigns.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.