On June 26, 2020, a partner’s Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin.  This is a WordPress plugin installed on over 80,000 sites worldwide.  This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site.  This meant running the vulnerable plugin and engaging in chats with site visitors on affected sites.

In short, we highly recommend updating to version 1.6 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.


What is The Official Facebook Chat Plugin?

The Official WordPress Facebook Chat plugin is a very simple plugin designed to add a “Facebook Messenger” chat pop-up to any WordPress site.  This connects a site owner’s chosen Facebook page to receive messages and interact with site visitors.

It does most of the design work through a dialog on Facebook.com.  However, once finished it updates the plugin options fbmcc_pageID and fbmcc_locale to set the chat’s page ID that will be connected to the pop-up on the front end of the site, and the language localisation that should be used.

In order to do so, the plugin registered an AJAX action wp_ajax_update_options hooked to the fbmcc_update_options function.


So, what went wrong?

Unfortunately, this AJAX action had no capability checks to verify that a request was coming from an authenticated administrator.  This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account.

In addition, the code that was used for CSRF protection was easily discoverable in the source code of any /wp-admin dashboard page due to the admin_enqueue_scripts registered action that made the nonce visible in the admin area of a site.

As a reminder, all default user accounts can access the /wp-admin area of a WordPress site.  This means that any authenticated user could scrape a page for a usable nonce and send it with the update_options request to pass the check_ajax_referer check.

add_action( 'admin_enqueue_scripts', 'fmcc_localize_ajax' );
function fmcc_localize_ajax() {
  $ajax_object = array(
    'nonce' => wp_create_nonce( 'update_fmcc_code' )
  wp_register_script( 'code_script', plugin_dir_url( __FILE__ ) . 'script.js' );
  wp_localize_script( 'code_script', 'ajax_object', $ajax_object );
  wp_enqueue_script( 'code_script' );

Just so you know, in coding terms, a nonce is an arbitrary number that can be used just once in a cryptographic communication.  It is similar in spirit to a nonce word, hence the name.  It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

As a result, attackers could link their own Facebook Page Messenger account, by updating the page ID, to any given site running the plugin.  This was as long as they were able to register on the site and access the /wp-admin dashboard. The attacker would then receive any messages initiated from the site’s Messenger Chat, and the site owner would no longer receive any messages initiated from the chat.


So, how could this be used against us?

This vulnerability could be exploited and easily go undetected by a site owner, causing site visitors to interact with an attacker instead of the site owner.  Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information.

Another possible scenario for this vulnerability to be exploited is that a competitor could use it to their advantage.  By supplying nothing for the pageid parameter, a competitor could completely disable the chat, causing a loss of availability for the chat service, potentially resulting in a loss of sales.

Worse yet, they could connect a fake page to look like the target site’s original page and, when site visitors begin interacting, they could be intentionally rude or offensive, deterring those site visitors from doing further business with the target site and ruining the site’s reputation, or driving traffic to the competitors business, causing a loss in customers and revenue.


What is ‘Social Engineering’?

Social engineering attempts to exploit “weaknesses” in humans through social interactions.  An attacker could exploit a human’s inherent ability to trust others or to trust a site’s content.  If someone hasn’t gone through any security awareness training for internet usage, they may not know what social engineering is and may not take any precautions to stay protected.


What do I need to do?

If you’re hosted with us, we’ve already corrected the issue for you.  If you’re not, you might want to talk to us to find out more and have a site inspection and remedial work.