ATTENTION – Alerte Prestashop – Vérifiez votre boutique

Alerte réelle.

Suite à une communication de Prestashop, reçue il y a quelques minutes, nous vous transmettons l’alerte de Prestashop concernant des tentatives de piratages cherchant à détourner les moyens de paiement. Pour le moment les attaques semblent avoir été ciblées et Prestashop communique rapidement.

Si vous n’avez pas de contrat de maintenance, nous vous conseillons de procéder à la mise à jour en version 1.7.8.2 minimum. En effet, à partir de cette version les boutiques ne sont pas concernées par ce problème.

Message d’origine

In order to maintain the quality of our services, we inform you that a security vulnerability has been identified.

This vulnerability is likely to affect stores that have not carried out the latest recommended software updates.

In case you are affected, we invite you to take note of the details of this vulnerability in order to fix it as soon as possible and take the necessary measures that you or your Data Protection Officer may deem necessary.

In case your shop is compromised and in order to allow you to notify this personal data breach to the supervisory authority on this page of the website of the Commission Nationale de l’Informatique et des Libertés (hereinafter the « CNIL »), we share with you below the course of the investigations carried out, together with the first technical evidence in our possession.

On July 19, 2022, at 2:00 pm, several members of the PrestaShop ecosystem notified PrestaShop employees of security incidents.

A few hours later, it was confirmed by PrestaShop’s technical teams that a malicious code (« payload ») was inserted by a malicious third party on several e-commerce stores.

The same day at 10:00 pm, PrestaShop technical teams were able to understand and reproduce the attack and could confirm the existence of the security flaw that would allow a malicious third party to insert malicious code into the scripts of e-commerce stores hosted by the PrestaShop company and created with its solution.

The insertion of this malicious code, likely to allow this (these) third party (ies) to take control of the sites concerned seems to have been made possible by an « SQL injection », coupled with a security flaw found in the operators of these stores who have not performed the latest software updates recommended by the company PrestaShop.

On the morning of July 20, 2022, a report was written by the members of the crisis unit to describe the cyber attack, its causes and consequences identified, as well as the resolution and communication measures to be implemented.

To date, a criminal complaint is being filed as well as a declaration to the National Agency for the Security of Information Systems.

In case you need additional information, please contact us at our email address: privacy@prestashop.com.

For all purposes, we remind you that it is your responsibility to make the necessary software updates to ensure that the systems remain protected against security vulnerabilities.

In order to know more about « how the attack works, what to do to keep you shop safe and how to tell if you have been infected » please read the following article: here

Please be assured that we will do our utmost to assist you in the completion of your project.

Best regards,

PrestaShop