Flaw on the Official Facebook Chat Plugin enabled Social Engineering Attacks

A flaw in The Official Facebook Chat Plugin made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. This WordPress plugin is currently installed on over 80,000 sites.

What is the Facebook Chat plugin

The Official WordPress Facebook Chat plugin is a very simple plugin that is used to add a “Facebook Messenger” chat pop-up to any WordPress site and connect a site owner’s chosen Facebook page to receive messages and interact with site visitors.

This vulnerability could be exploited and easily go undetected by a site owner, causing site visitors to interact with an attacker instead of the site owner. Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information.

Another possible scenario for this vulnerability to be exploited is that a competitor could use it to their advantage. By supplying nothing for the pageid parameter, a competitor could completely disable the chat, causing a loss of availability for the chat service, potentially resulting in a loss of sales.

How WordFence explains the Facebook Chat plugin vulnerability issue below

It does most of the design work through a dialog on Facebook.com However, once finished it updates the plugin options fbmcc_pageID and fbmcc_locale to set the chat’s page ID that will be connected to the pop-up on the front end of the site, and the language localization that should be used.

In order to do so, the plugin registered an AJAX action wp_ajax_update_options hooked to the fbmcc_update_options function.

51
52
53
54
55
56
57
58
add_action( 'wp_ajax_update_options', 'fbmcc_update_options');
function fbmcc_update_options() {
  check_ajax_referer( 'update_fmcc_code' );
  update_option( 'fbmcc_pageID', sanitize_text_field($_POST['pageID']));
  update_option( 'fbmcc_locale', sanitize_text_field($_POST['locale']));
  wp_die();
}

Unfortunately, this AJAX action had no capability checks to verify that a request was coming from an authenticated administrator. This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account.

This flaw has been fully patched in version 1.6. We recommend that users immediately update to the latest version available, which is version 1.6 at the time of this publication.

How can you protect yourself as a site visitor?

Never, in any situation, divulge sensitive information, like access credentials or credit card data, to anyone unless you can truly verify the person or company is who they say they are and they have a legitimate “need to know.”

Both sites using Wordfence Premium and those still using the free version of Wordfence are protected from attacks against this vulnerability. If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical security update.

Read more about this vulnerability on the WordFence Blog

Read more of our WPChase security blogs here

Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers

%d bloggers like this: