Updated: CCAvenue Payment Gateway Hacked: Report


Update 7: Countering what Patel claims in an interview with us, Akash Mahajan, in the comments to this post, points out a web server update log(screenshot), that indicates that the upgrade to Apache 2.2.17 for CCAvenue took place today. Patel had told us that the upgrade took place 5 months ago, and used that as a basis for claiming that the logs published are inaccurate, since they indicate that the server was Apache 2.2.14. As a counterpoint, OneMindsl says that netcraft updates that data only when requested, so this may not be indicative of upgrades, rather updates of upgrades (confusing, eh?).

Update 6: FullDisclosure appears to have the original copy of the email that d3hydr8 sent. Thanks @dotmanish.

Additionally, Anon, in the comments, says that “its still possible that someone accessed this backup somewhere in their file system on their server; and asks “if there was no hack, how is company confidential schema, employee data out in the public domain?” Note that Patel told us that it’s not “real live database schema”.

Akash Mahajan points out “Sorry for nitpicking but, Passwords need to be hashed. Hashing means one way encryption. This means once hashed there is no way of getting the original value back. Ideally secure passwords are salted and hashed. This helps in avoiding a dictionary attack against hashed passwords.”

More questions in the comments from asdf

Update 5: Hetal R on Twitter says that when he tried resetting a CCAvenue password, he got the plaintext password, and that is a security hole. He says that “By encrypted, it means non-decryptable. When you click on forgot password, a link should be sent, allowing password reset”. Sounds reasonable enough.

Update 4: Also read this Q&A with Patel, where he addresses some of the questions we received, and some claims made in that hacking report.

Update 3: the account of HackerRegiment.com, it appears, has been suspended. Details, last we checked, were still up at Pluggd.in and ClubHack. We’ve just got more details from Vishwas Patel, who says that the information that was published as ‘hacked’ was incorrect, and there is misinformation being spread. He’s pointed out a few things that point towards incorrect information.

Note that MediaNama is not in a position or qualified to determine hacker intent/claims or CCAvenue claims. We’ll let sides be represented. Take your pick.

Update 2: Patel further clarifies that “More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Update 1: An initial response from Vishwas Patel, CEO of Avenues India, which owns CCAvenue, who says that he’ll get back to us after they’ve looked into this in detail. On the face of it, this is what he has to say: “From our side, we’ll have to look into it. It is not possible, because of the kind of application level firewalls that we have put up. We don’t store credit card numbers or any other kind of payment details because of the Payment Card Industry Data Security Standards, and there is no credit card or payment related info on our servers. There are new standards that have come in, that is PCI DSS 2.0, which are more stringent than the earlier standards, and we have just completed the assessment under that last week.”

Earlier: CCAvenue, among India’s largest online payment gateway services, has been hacked using “Hidden SQL injection”, according to a report on HackerRegiment.com. Apparently, all admin passwords at CCAvenue have been leaked. HackerRegiment has published a copy of some if the information it received via email from a hacker called d3hydr8 (leetspeak for dehydrate), including a list of databases, some information on tables within the databases, and more importantly, screenshots that suggest that administrator passwords may have leaked. Please note that MediaNama is unable to confirm the veracity of this report – calls, SMS’ and emails to Avenues India CEO Vishwas Patel await a response.

A MediaNama reader informs us that they’ve just made a payment via CCAvenue, so it appears that it is still active. HackerRegiment says it has informed India’s Computer Emergency Response Team. We’ll update in case we get a response from CCAvenue.

Category : Digital Payments | Tags :

  • http://www.rupees4gigs.com Vijay

    I think ccavenue should apologize their customer and accept their mistake, should compensate the customers in case if their account get hacked due to this mess, to avoid these kind of mess never ever save or transmit the password and other key information in plain text, from CCAvenue case its major failure, still sql injection possible that too with payment gateway provider what a petty and the technical team behind ccavenue is such lazy guys not even following industry standards

  • http://profiles.google.com/mobilpundit Mobile Pundit

    I found that, even http://www.freecharge.in is storing plain text passwords.Dear,Your Login details are given below: Username: .Password: .Thanks & Regards.Administrator http://www.freecharge.in

  • http://profiles.google.com/mobilpundit Mobile Pundit

    I found that, even http://www.freecharge.in is storing plain text passwords.Dear,Your Login details are given below: Username: .Password: .Thanks & Regards.Administrator http://www.freecharge.in

-->

Archieve