Credit card data hack on WooCommerce

How Can Hackers Steal Credit Card Data From Your WooCommerce Store?

If you have credit card form on your WooCommerce Checkout page, it is time to worry. We have noticed that a large part of the Payment Gateway plugins allows customers to enter credit card information on the same checkout page. Though if you did not save this data in your online store, in case of favourable opportunities, it could be read and saved to a file on another server. If hackers manage to find a vulnerability in your online store, it is very likely that it will be possible to inject a keylogger that can steal your customers’ credit card data.

How hackers can steal credit card data 1

The difference between entering data in your WooCommerce store and payment provider page

When you have credit card input fields on the checkout page, these fields can be affected by JavaScript or PHP code. This risk disappears when you need to enter credit card details on another page, for example PayPal, or when the credit card form is loaded from a different site as an iframe. If you do not know how these fields are displayed on your website, we recommend contacting your online store administrator to explain if there is a risk of data leakage.

An example of how credit card details can be stolen

You have credit card fields on the checkout page, and you use some plugins, and one of them has a vulnerability such as “stored XSS”, which is quite often found in various plugins. We remind you that the more plugins you use, the greater the risk of having security issues. Always evaluate your plugins. “Stored XSS” vulnerability allows the hacker to place a keylogger in your online store and affect the credit card’s input fields, i.e. send them to the hacker.

Let’s say you are using the Advanced Search for WooCommerce plugin, where we recently have found the “Stored XSS” vulnerability. This plugin has a Custom CSS field where the CSS code can be saved. The existing “Stored XSS” vulnerability allows changing this field even if the user is not logged-in on the website. The hacker places a keylogger (JavaScript script) that will be loaded on each page, including the payment page.

Keylogger is uploaded using the security vulnerability in Advanced Search for WooCommerce plugin.

How hackers can steal credit card data 2

The uploaded keylogger looks like this. It is loaded on every page including the checkout page.

How hackers can steal credit card data 3

The JavaScript keylogger code looks like this:

How hackers can steal credit card data 4

When the “Place Order” button is pressed, this code collects the credit card details, i.e. the cardholder’s name, card number, expiry date and security code, and sends these data using the HTTP POST method to the file on the hacker’s server.

Then, on the hacker’s server, all of this data is stored in the credit_cards.txt file, the PHP code looks like this:

How hackers can steal credit card data 5

All saved data can be viewed in the credit_cards.txt file.

How hackers can steal credit card data 6
Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *