CCAvenue Gateway Hacked

[krishnandu.sarkar]

CCAvenue, one of the largest online Payment gateways of India, has been compromised by a hacker who goes by the name d3hydr8.



According to HackerRegiment, this website was compromised by exploiting a SQL injection vulnerability and all the admin passwords which were apparently stored in Plain Text, have been leaked in a report which includes a list of databases, info on the tables within the databases and screenshots of the admin passwords of the CCAvenue portal.

Furthermore, it added that they have reported the issue to CERT India (Indian Computer Emergency Response Team) and are anticipating corrective action to be taken before the information becomes public through other channels.

Vishas Patel, CEO of Avenues India which runs CCAvenue, initially wasn’t sure of the damage and said he’d respond after they’ve looked into how significant the breach was. Although he added they didn’t store any credit card details or any other payment details.

In a quote to Medianama, he said:

“From our side, we’ll have to look into it. It is not possible, because of the kind of application level firewalls that we have put up. We don’t store credit card numbers or any other kind of payment details because of the Payment Card Industry Data Security Standards, and there is no credit card or payment related info on our servers. There are new standards that have come in, that is PCI DSS 2.0, which are more stringent than the earlier standards, and we have just completed the assessment under that last week.”

“More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Later, he rebuffed the activity saying this is a mischevious slander against CCAvenue. He said the screenshot that has been leaked is not of their current database since it quotes the server type as Apache/2.2.14 and they have shifted to Apache/2.2.17 since 5 months.

He also said they had stored all the passwords as encrypted and not plain text as before, although users on Twitter are stating a different story.

Source : CCAvenue, India’s Payment Gateway gets hacked. CEO cries foul - TNW India

WTH??? How they can store passwords in plain text and SQL Injection?? They are not even this much secure

Not going to use it anymore...

 

[asingh]

I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.

How can you not use it, most gateways go via CC Avenue.

 

[Vyom]

The more I hear of such hacks, more I start to believe of the impending doom of 2012!

OMG! That's just not happening dude!!! CCAvenue!

My telephone bill, railway ticket booking... and even the recent digit subcription I did.. was all through the CCAvenue!

I dont want to spread panic... but... We are DOOMED!

 

[baccilus]

Where did 2012 come into this? Common man. From what I have seen, I have only ever entered passwords in the SBI site. Never in CCavenue site. But I will still keep an eye on my bank account.

 

[ico]

This is ridiculous. Plain text?

 

[furious_gamer]

CCAvenue is a bunch of fools to store password as plaintext. Even a small company will encrypt the password and store it.

BTW In my prev company we used CCAvenue. Too bad such famous PG provider doomed by simple SQL injection, which a school going kid can do.

 

[Pratul_09]

I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.

How can you not use it, most gateways go via CC Avenue.

thinkdigit also uses the same gateway, this is hightime we look after the security aspect of payment gateways. before making a purchase we must verify the security.

Verisign certified.

 

[furious_gamer]

They are already hacked a few before IIRC.

 

[Vyom]

So how many options we have other than CCAvenue?
And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?

 

[iinfi]

i dont think this news is true ....

 

[krishnandu.sarkar]

Well, asingh is right, max. vendors use CCAvenue as their payment gateway, no idea what should we do next.

So how many options we have other than CCAvenue?
And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?

SQL injection - Wikipedia, the free encyclopedia

i dont think this news is true ....

Dude, read the news, CCAvenue themselves accepted it, and the source is not fake, it's reliable.

 

[Vyom]

“More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Reading the above quote, I am relieved again. Since most of my transactions are through Net Banking

 

[krishnandu.sarkar]

Yes, that's right, but I think I've used CC few times. Can't remember though.

 

[gagan007]

me too..and I have used credit card all the time

 

[dreatica]

Yes, that's right, but I think I've used CC few times. Can't remember though.

Me too ? So after all the hype of PSN, and now ccavenue. The last payment made for digit subscription, 2 weeks back.

 

[krishnandu.sarkar]

So what should we do now?? Is there anything that we can do??

I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.

 

[dreatica]

So what should we do now?? Is there anything that we can do??

I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.

thats what I also want to know ? What to do know ? Call the bank and ask them to cancel my cc ?

Now, I remember I make the electricity, water, phone and god knows what else through ccavenue.

@krishnandu.sarkar I get the master secure code page whenever I make the payments. Why you don't get it ?

 

[buddyram]

This January i renewed my digit subscription through the same CCAvenue. I got a message stating that the login details which i entered would be transferred through an unencrypted channel. I was apprehensive about that but still there was no other go, trusting digit i carried on with the payment!

 

[krishnandu.sarkar]

^^Yup that's right, whenever I bought anything, after making payment through SBI Net Banking, when it redirects it says it's going to send the data through unencrypted channel, and I used to go with it. And I guess many of us did that too.

@dreatica I've no idea, I registered for Mastercard Secure Code at the very beginning after getting my Card, but never asked for that while making payment. I can't remember particular services I used but it never asked for that password. I guess not all sites are compatible with it, so the sites which are compatible with it, asks for the password, others just make the transaction normally. One I can remember is Vodafone.in which I use for my recharge needs.

 

[gagan007]

@dreatica: for some gateways it doesn't ask the password..I am not sure why!