
India’s Leading Payment Gateway “CCAvenue” Hacked by SQL Injection - dkd903
http://digitizor.com/2011/05/05/ccavenue-hacked/
======
narad
I am surprised on this. Why CCAvenue did not conduct a vulnerability test on
their applications? It is standard practice to conduct a VA on production
systems, which will certainly identify this kind of vulnerabilities. A Payment
facilitator going down because of an SQL injection attack is ridiculous.

Indian market is paranoid about online security. This will bring down the
number of online sales. Too bad for start-ups depending on CCAvenue.

------
swatkat
CCAvenue CEO talks about this hack:
[http://www.medianama.com/2011/05/223-vishwas-patel-
ccavenue-...](http://www.medianama.com/2011/05/223-vishwas-patel-ccavenue-
hack/)

~~~
Garbage
Important replies from above link:

 _So you’re saying that the merchant data has not been accessed?_ > It hasn’t.
If you see, apache 2.2.14 – we’ve been live with apache 2.2.17 for last five
months.

 _You’re also saying that merchant account passwords have not been stored as
plain text?_ > They are encrypted, and not stored as plain text.

 _Have you ever been told that there is a security hole of some sort?_ > We
are looking into this, and this is the intial report. From time to time what
we get, I am sharing with you. As more information comes out as we
investigate, we will share it.

~~~
narad
encrypted?? then, it can be decrypted. Why they were not hashed so that it
cannot be decrypted.

More updates posted here... <http://www.medianama.com/2011/05/223-ccavenue-
hacked/>

~~~
Indyan
Yep. Typically passwords are hashed and salted. However, I have seen non-
technical folks use the terms hashing and encryption exchangeably. Hopefully
thats the case here. Anyways, since CCAvenue didn't store the full CC number
(and they definitely didn't store the passcode - for that it redirected to the
issuing bank/organization), this doesn't seem to be a very serious issue, even
if true.

------
happyfeet
If what is published in hackerregiment.com is true, this is the most
irresponsible thing the company "CCAvenue" could have done - to store plain
text passwords.

They also claim to have PCI DSS 2.0 certified. In light of all the discussions
happening repeatedly about need to regenerate passwords & not to store plain
text passwords if they have it this way, this is so stupid.

~~~
dav-id
I have been evaluating payment gateways in India and quite frankly I would not
be surprised if this is true. If you just look at the CCAvenue website you
will see what an absolute mess it is, they do not reply to any form of
communication I try to make with them.

If I were a customer of CCAvenue I would close my account and move to someone
like DirecPay from Times Of Money.

~~~
rushabh
Have you tried it? I am waiting to get out of CCAvenue -- so many times the
payment crashes that my customers are now preferring to mail me a check! Their
customer service is pathetic too

~~~
theyaga
I Have been using <http://ebs.in/> and they pretty good at it.

~~~
happyfeet
Do you mean that ebs's payment pages do not crash as often as ccavenue's?

May be this is an opportunity for these kind of payment service providers to
come out clean & prove it out to the world (at least in forums like HN) as to
how paranoid they are about security?

------
giis
more info. on the hack - when user tried to forgot password ,they got their
original password back. If it was stored as encrypted then there is no way to
decrypt them. And also in interview CEO claims they use "2.2.17" for past 5
months but <http://uptime.netcraft.com/up/graph?site=www.ccavenue.com> shows
differently

------
giis
Its plain stupidity to store plain passwords. Some user said,he tried forgot
password ,it returned him 'his original' password.

------
geetaj
CC Avenue denies the attack: <http://ndtv.in/jy6RAO>

~~~
abdulqabiz
Isn't it obvious? They don't have right culture within their organization. Had
they been like Amazon, Twitter and others, they would have accepted what
happened.

