Home » ,

Updated: CCAvenue Payment Gateway Hacked: Report


Share on Facebook0Tweet about this on TwitterShare on LinkedIn61Email this to someone

Update 7: Countering what Patel claims in an interview with us, Akash Mahajan, in the comments to this post, points out a web server update log(screenshot), that indicates that the upgrade to Apache 2.2.17 for CCAvenue took place today. Patel had told us that the upgrade took place 5 months ago, and used that as a basis for claiming that the logs published are inaccurate, since they indicate that the server was Apache 2.2.14. As a counterpoint, OneMindsl says that netcraft updates that data only when requested, so this may not be indicative of upgrades, rather updates of upgrades (confusing, eh?).

Update 6: FullDisclosure appears to have the original copy of the email that d3hydr8 sent. Thanks @dotmanish.

Additionally, Anon, in the comments, says that “its still possible that someone accessed this backup somewhere in their file system on their server; and asks “if there was no hack, how is company confidential schema, employee data out in the public domain?” Note that Patel told us that it’s not “real live database schema”.

Advertisement

Akash Mahajan points out “Sorry for nitpicking but, Passwords need to be hashed. Hashing means one way encryption. This means once hashed there is no way of getting the original value back. Ideally secure passwords are salted and hashed. This helps in avoiding a dictionary attack against hashed passwords.”

More questions in the comments from asdf

Update 5: Hetal R on Twitter says that when he tried resetting a CCAvenue password, he got the plaintext password, and that is a security hole. He says that “By encrypted, it means non-decryptable. When you click on forgot password, a link should be sent, allowing password reset”. Sounds reasonable enough.

Update 4: Also read this Q&A with Patel, where he addresses some of the questions we received, and some claims made in that hacking report.

Update 3: the account of HackerRegiment.com, it appears, has been suspended. Details, last we checked, were still up at Pluggd.in and ClubHack. We’ve just got more details from Vishwas Patel, who says that the information that was published as ‘hacked’ was incorrect, and there is misinformation being spread. He’s pointed out a few things that point towards incorrect information.

Note that MediaNama is not in a position or qualified to determine hacker intent/claims or CCAvenue claims. We’ll let sides be represented. Take your pick.

Update 2: Patel further clarifies that “More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Update 1: An initial response from Vishwas Patel, CEO of Avenues India, which owns CCAvenue, who says that he’ll get back to us after they’ve looked into this in detail. On the face of it, this is what he has to say: “From our side, we’ll have to look into it. It is not possible, because of the kind of application level firewalls that we have put up. We don’t store credit card numbers or any other kind of payment details because of the Payment Card Industry Data Security Standards, and there is no credit card or payment related info on our servers. There are new standards that have come in, that is PCI DSS 2.0, which are more stringent than the earlier standards, and we have just completed the assessment under that last week.”

Earlier: CCAvenue, among India’s largest online payment gateway services, has been hacked using “Hidden SQL injection”, according to a report on HackerRegiment.com. Apparently, all admin passwords at CCAvenue have been leaked. HackerRegiment has published a copy of some if the information it received via email from a hacker called d3hydr8 (leetspeak for dehydrate), including a list of databases, some information on tables within the databases, and more importantly, screenshots that suggest that administrator passwords may have leaked. Please note that MediaNama is unable to confirm the veracity of this report – calls, SMS’ and emails to Avenues India CEO Vishwas Patel await a response.

A MediaNama reader informs us that they’ve just made a payment via CCAvenue, so it appears that it is still active. HackerRegiment says it has informed India’s Computer Emergency Response Team. We’ll update in case we get a response from CCAvenue.

Share on Facebook0Tweet about this on TwitterShare on LinkedIn61Email this to someone

  • Nilesh

    The passwords seem to belong to the merchants who maintain accounts at CCAvenue for things like refund, order-cancellation etc. Consumers don’t maintain any accounts at CCAvenue so it is the merchants who seem to be at risk.

    • Blackhat2

      Check the fulldisclosure post once again… the breach was in 2010 dec 4. think again..

      [ + ] Date: Sat Dec 4 10:47:33 2010

      -cj

  • Anon

    Just because CCavenue does not store customer card data does not mean this breach has no impact. What about merchant data? If the hackers had all the admin passwords it means they could access the data of 1000s of merchants who use CCavenue.

    • Nikhil Pahwa

      That’s a fair question. So if you have questions, tell us. They say they’re looking into it, and we’ll put your questions to them once they’ve got some idea and are free to speak with us

      • Vishal A

        One big question : Why did they save the merchant account passwords in plain text ? Have they ever been told that this is a security hole and not a standard practice ? When ? What action did they take on those inputs ?

        • Anon

          Same thing was done by Gawker media and they should have been tried in a criminal court for that but they were not. Something similar should be done to the CCAvenues.

        • Anon

          Same thing was done by Gawker media and they should have been tried in a criminal court for that but they were not. Something similar should be done to the CCAvenues.

  • Arvind Kumar

    the customer also uses the same password for the other services too. this is not at all good …

  • User

    Now guess who will be in India’s CERT? Guess, guess, guess!!

    A few babus with fat bellies bulging out and some of them will happily be chewing tobacco or sleeping blissfully in their respective offices. Well, this is an imagined scenario from what I’ve seen at various NIC offices across the country and also that one at IT ministry.

  • The hackerregiment link has 404’d. Screenshot?

  • Asdf

    @Nikhil

    1. Can you ask Vishwas about information published, like table name, host name etc are correct ?
    2. Even they are claiming it is audited, this is not simple sql injection but it is “hidden sql injection” so tough to find from below Avg Security auditor.
    3. Interestingly, If it is audited, then a big question on auditor ???

  • Sorry for nitpicking but,

    Passwords need to be hashed. Hashing means one way encryption. This means once hashed there is no way of getting the original value back. Ideally secure passwords are salted and hashed. This helps in avoiding a dictionary attack against hashed passwords.

  • Anon

    Great coverage on this one by MediaNama team. Very professional, responsible and objective reporting.

    BTW Vishwas, Anupama and lot of other CCavenue employees are in that image of passwords on pluggd and clubhack. Even if we believe Vishwas’s claim that none of the password info or schema is of their live database, which means its an old version of the DB (lets say a backup) its still possible that someone accessed this backup somewhere in their file system on their server. Which also means that someone was able to hack in to their server albeit not access the latest DB but an older one.

    The cross question to Vishwas should be that if there was no hack, how is company confidential schema, employee data out in the public domain?

  • From the null.co.in mailing list.

    The web server was updated today and not earlier as claimed by CCAvenue
    This will confirm that. http://uptime.netcraft.com/up/graph?site=www.ccavenue.com

    • Anonemail

      Actually, all it means is that netcraft updated its records today. They could have updated Apache anytime between Aug-2010 and now.

      • Asdf

        No. More to that they should accept and actually fix, otherwise even after the changes one can re-hack !

        • Newuser

          haven’t umderstood the “No”in rely to Anonemail’s posting. Are you saying that the Apache update couldn’t ahve happened between Aug-2010 and now? Why not?

        • Avii

          I talked to one of account with mobile number mentioned in hack ..”Yashwant” employee of ccavenue in account department and he confirmed the hack !

      • Tech_expert

        No. http://toolbar.netcraft.com/site_report?url=http://ccavenue.com This is proof. Check out the dates in the last column. CCAvenue is exposed.

    • Asdf

      @Akash/Nikhil/ccavenue

      this is even worst. Updating Apache (or just configuration file so it will show fake-info) and making everyone fool is standard practice. Looks like ccavenue don’t have guts to accept their mistake !

      • Asdf

        i mean to say making eveyone fool is NOT standard practice.

    • Bizpartners

      http://toolbar.netcraft.com/site_report?url=http://ccavenue.com …what I can see the web server Apache was updated on 3rd Feb 2011

  • Govind

    tables are named TABLES: 180 ] : PG_card_details
    [ TABLES: 181 ] : PG_card_details_20100918
    [ TABLES: 182 ] : pg_card_details_20100924

    [ TABLES: 183 ] : pg_card_details_bkp
    [ TABLES: 184 ] : PG_card_details_linux

    what happens to all these cards which are out ?? isnt this same as sony playstation hack ?

  • Asdf

    Its time to upgrade sql server + OS as well.

  • Asdf

    1. Apache was updated today only.
    2. Doubt it was actual apache update or just dummy server response trick
    3. The Actual hack has nothing to do with Version of apache.
    4. Looks like Mr Patel is trying to hide and trying to proove hacker wrong by dirty tricks

  • I think ccavenue should apologize their customer and accept their mistake, should compensate the customers in case if their account get hacked due to this mess, to avoid these kind of mess never ever save or transmit the password and other key information in plain text, from CCAvenue case its major failure, still sql injection possible that too with payment gateway provider what a petty and the technical team behind ccavenue is such lazy guys not even following industry standards

  • I found that, even http://www.freecharge.in is storing plain text passwords.Dear,Your Login details are given below: Username: .Password: .Thanks & Regards.Administrator http://www.freecharge.in

  • I found that, even http://www.freecharge.in is storing plain text passwords.Dear,Your Login details are given below: Username: .Password: .Thanks & Regards.Administrator http://www.freecharge.in