The Official Facebook Chat Plugin Lets Hackers Hijack WordPress Sites’ Chat
This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites
The Official WordPress Facebook Chat plugin is a very simple plugin designed to add a “Facebook Messenger” chat pop-up to any WordPress site and connect a site owner’s chosen Facebook page to receive messages and interact with site visitors.
In a report published today by Wordfence’s Threat Intelligence team, threat analyst Chloe Chamberland says that the high severity authenticated options change vulnerability with a 7.4 CVSS base score rating was discovered on June 26, 2020.
Facebook’s security team addressed the flaw with the release of version 1.6 on July 28, roughly a month after they responded to Wordfence’s initial report.
On websites running a vulnerable version of the Official Facebook Chat Plugin, low-level authenticated attackers can “connect their own Facebook Messenger account [..] and engage in chats with site visitors[..].”
To connect the chat pop-up with the owner’s Facebook page, the plugin uses the wp_ajax_update_options AJAX action which, in unpatched versions, did not check if page connection requests came from authenticated website admins.
“This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account,” Chamberland explains.
“As a result, attackers could link their own Facebook Page Messenger account, by updating the page ID, to any given site running the plugin as long as they were able to register on the site and access the /wp-admin dashboard.”
After successfully linking their own Facebook page to the targeted site’s chat, attackers receive any messages sent through the site’s Messenger Chat, with the site owner no longer receiving any incoming messages.
“Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information,” Chamberland adds.
Attackers could also use their access to compromised sites’ chats to ruin the sites’ reputation through toxic interaction with their visitors or to cause loss of revenue by “driving traffic to the competitors business.”
How Could this Vulnerability be Used?
This vulnerability could be exploited and easily go undetected by a site owner, causing site visitors to interact with an attacker instead of the site owner. Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information.
Another possible scenario for this vulnerability to be exploited is that a competitor could use it to their advantage. By supplying nothing for the
pageid parameter, a competitor could completely disable the chat, causing a loss of availability for the chat service, potentially resulting in a loss of sales.
Worse yet, they could connect a fake page to look like the target site’s original page and, when site visitors begin interacting, they could be intentionally rude or offensive, deterring those site visitors from doing further business with the target site and ruining the site’s reputation, or driving traffic to the competitors business, causing a loss in customers and revenue.
Facebook Chat Plugin users are strongly recommended to update their plugin to version 1.6 as soon as possible to block attacks designed to hijack their sites’ chat as part of social engineering schemes.
Yesterday, Wordfence also reported reflected Cross-Site Scripting (XSS) and PHP Object Injection vulnerabilities found in the Newsletter WordPress plugin that can let hackers inject backdoors, create rogue admins, and potentially take over affected sites.