CCBill.com multiple vulnerabilities

[CYF]

Found this on the full disclosure mailing list:

Quote:

We want to warn you about security vulnerabilities in CCBILL.COM
Internet billing service.

CCBill is an Internet billing service. Established in 1998, the company
provides third-party billing, or turn-key solutions, for e-Merchants
requiring payments by way of credit card, debit card, or e-check,
European Debit/Direct Pay, and telephone payment.

Since Ccbill is a privately held company little is known about it's
finances however it is estimated that more than a billion dollars per
year in credit card charges are processed through Ccbill in the us and
abroad.

Time Table:
# 20/07/2010 We have found multiple Blind SQL injections.

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

CCBILL.COM vulnerability:

Multiple blind SQL injections

It's possible to get all customers FULL personal details, server admins
etc...

Also is possible to read any file from ccbill.com and write to this
server too.

JPG sample tables proof:
http://www.ariko-security.com/images/ccbill_proof1.jpg

Credit:
# Discoverd By: MG / Ariko-Security 2010
# http://advisories.ariko-security.com...nstwa_719.html

[CYF]

It's possible to get all customers FULL personal details, server admins
etc...

Also is possible to read any file from ccbill.com and write to this
server too.

Pretty shitty vulnerability if you ask me.

[Ethersync]

Jesus, that is one hell of an vulnerability.

[woj]

serious stuff...

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

does that mean that it hasn't been patched up yet?

[Ethersync]

Quote:

Originally Posted by woj

serious stuff...

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

does that mean that it hasn't been patched up yet?

Most likely...

[NetHorse]

Yeah, who knows...

I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.

[ladida]

They had so many, they stopped caring

[DWB]

In before the lock?

Get on it CCbill.

[BFT3K]

I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.

But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!

It really is the fucking wild wild west out here...

[TheSenator]

I bet this thread is gonna be locked down and thrown away.

[myneid]

it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
every hole needs to be filled in somehow and quarterly scans are required.

now i have not verified this myself, but i'm guessing that its bogus.

[BittieBucks Eric]

Quote:

Originally Posted by NetHorse

Yeah, who knows...

I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.

Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

[CYF]

Quote:

Originally Posted by myneid

it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
every hole needs to be filled in somehow and quarterly scans are required.

now i have not verified this myself, but i'm guessing that its bogus.

bogus? Why would you think that?

[Ethersync]

Quote:

Originally Posted by myneid

now i have not verified this myself, but i'm guessing that its bogus.

Are all these other exploits they found bogus too?

http://www.ariko-security.com/index-7.html

[SwirlsGirl]

Hell I am no programmer, but I can attest that it appears that if they are not guilty of any fraud them selves, then some one has hacked them and been able to do a lot of things that have caused many webmasters to question the integrity of the data.

Of course for the past year and a half all ccbill has done was assure everyone that what they were seeing (Bizarre to say the least stats anomalies) was their imagination, and have there schills come into gfy and attack anyone raising serious questions!

Even if this post is found to be true, the majority of the industry is so brain washed and gullible, they will not believe or care that they could have been getting the fuzzy end of the lolipop

[CCBill Paul]

We are and have been looking into this.

[SwirlsGirl]

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

Classic, but you would have others think I am just starting drama, tell me If this is found out to be true, will you come back in and apologize as an honorable person would?

I mean you guys at ccbill are so honorable, professional, and courteous. Something tells me not to hold my breath....


OH I KNOW.......................

ITS JUST A BUG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LOL

[SwirlsGirl]

Makes you start to wonder about some of those zero sales days really being zero sales days, especially when your back up processors are having sales flurries

[BFT3K]

[mmcfadden]

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

Lmk when all is good ;). Lol

[NetHorse]

Quote:

Originally Posted by BittieBucks Eric

Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

Good point. Not really sure what needs to be done, but something clearly needs addressing.

100s of affiliates/program owners have been creating thread after thread all with similar issues. Making a statement, "Everything is fine on our end" doesn't seem to be an amicable solution anymore.

[Loki]

only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

-Loki-

[The Ghost]

Thread bookmarked.

[elitelist]

Quote:

Originally Posted by Loki

only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

-Loki-

Concatenated strings are not vocabulary.

I can also promise you that ccbill is owned beyond the owners.

[rowan]

[CYF]

Quote:

Originally Posted by rowan

I love that one

[MrDeiz]

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

it doesn't make any sense = it's senseless

[LeRoy]

Sounds like there's a few issues to deal with this week.

ugh!

[DWB]

Quote:

Originally Posted by myneid

every hole needs to be filled

[Beerbar]

Anything more from CCBill?

[NetHorse]

If this is a real concern it should be forwarded to PCI. Request that a SAS 70 report be created.

[Ethersync]

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

[closer]

Any site can be hacked/cracked,

a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.

In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.

It's good to read that CCBill is looking into it and hope they'll update us with any news.

[CYF]

Quote:

Originally Posted by Ethersync

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

I think this is a separate issue.

[CYF]

bump for a serious issue.

[Shap]

Looking forward to hearing the reply.

[cambaby]

F.U.D.

Leave CCBill alone, NATS is shit

[CYF]

Quote:

Originally Posted by cambaby

F.U.D.

Leave CCBill alone, NATS is shit

So this isn't a serious vulnerability? How do you figure?

[cambaby]

Quote:

Originally Posted by CYF

So this isn't a serious vulnerability? How do you figure?

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

[Shap]

Quote:

Originally Posted by cambaby

F.U.D.

Leave CCBill alone, NATS is shit

How does this have anything to do with Nats? It's one thing to discredit the claim it's another to bring in another company that has nothing to do with this topic.

[ladida]

Quote:

Originally Posted by cambaby

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

ROFL. god you're clueless

[cambaby]

...and out come the people who get paid to bash CCBill

[Shap]

Quote:

Originally Posted by cambaby

...and out come the people who get paid to bash CCBill

LOL that really shows how clueless you are. How am I paid to bash Ccbill? I've used them for more than 10 years now.

[CYF]

Quote:

Originally Posted by cambaby

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

that's pretty clueless dude

and no, I'm not paid to bash CCBill.

[rowan]

Quote:

Originally Posted by Ethersync

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase. :

[CYF]

Quote:

Originally Posted by rowan

This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase. :

[NinjaSteve]

Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"

[CYF]

Quote:

Originally Posted by NinjaSteve

Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"

somehow I doubt it.

[Kelli58]

So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?

[The Porn Nerd]

Quote:

Originally Posted by Kelli58

So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?

That would be a "no".