CCBill.com multiple vulnerabilities - Page 2 - GoFuckYourself.com

The Porn Nerd · 08-18-2010, 10:35 PM

FIDDY CCBILL VULNERABILITIES!!!

I can't believe I beat Woj to the punch. WooHoo! Ahem.

CYF · 08-19-2010, 11:46 AM

still waiting for a ccbill fix.

candyflip · 08-19-2010, 12:04 PM

They are too busy counting their monies.

V_RocKs · 08-24-2010, 11:52 AM

CCBILL has had this problem for years... Why change anything now?

mlove · 08-24-2010, 11:55 AM

Quote:

Originally Posted by BFT3K

I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.

But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!

It really is the fucking wild wild west out here...

Not everything.

PHP Code:


			
<?php echo "hello."; ?>

Hack my php script.

NikKay · 08-25-2010, 11:23 AM

Quote:

Originally Posted by DirtyWhiteBoy

Awesome.

V_RocKs · 08-25-2010, 05:39 PM

Nice script

Axzar · 08-25-2010, 06:32 PM

Get an alternate merchant account already. Quit paying 15% or more. See Sig Below. Free to Apply.

DVTimes · 08-25-2010, 06:41 PM

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

cool stuff

hope its fixed soon

Mock NyaMout · 08-25-2010, 11:23 PM

I got the answer

CYF · 09-06-2010, 09:19 PM

still no reply?

SallyRand · 09-06-2010, 09:43 PM

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

Paul, don't "LOOK INTO IT", FUCKING FIX IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

;)

Sally.

CYF · 09-10-2010, 12:33 PM

still no reply?

Socks · 09-10-2010, 12:43 PM

At one point in time I was aware of how to create logins and passwords on any CCBill site, I believe it worked like a charm. Was years ago though.

May-Netpay · 09-16-2010, 06:46 AM

why using CCbill where you can use NetPay international ..a leader in providing on-line, real-time payment processing solutions in a solid, secure and reliable manner.

not only secure, but has advanced technology and new payment solution to European customers.

contact me for info.
May

MMarko · 09-16-2010, 07:31 AM

Again only one who is losing money are affiliates. CCbill gets it's cut, sponsor too. Also problems with CCbill sales started around those dates mentioned in report...

MMarko · 09-16-2010, 07:35 AM

Quote:

Originally Posted by closer

a financial/banking site should be held up to much higher security standard

if these vulnerabilities are true, then ccbill security is below ANY standard

k0nr4d · 09-16-2010, 07:38 AM

Quote:

Originally Posted by May-Netpay

why using CCbill where you can use NetPay international ..a leader in providing on-line, real-time payment processing solutions in a solid, secure and reliable manner.

not only secure, but has advanced technology and new payment solution to European customers.

contact me for info.
May

Classy Bump...

CYF · 10-14-2010, 10:47 AM

has this been fixed yet?

signupdamnit · 10-14-2010, 11:01 AM

Quote:

Originally Posted by CYF

has this been fixed yet?

I hope so. It would really suck to wake up one day and hear Visa or someone has shut down CCbill for "certain program deficiencies".

CYF · 10-14-2010, 09:20 PM

Quote:

Originally Posted by signupdamnit

I hope so. It would really suck to wake up one day and hear Visa or someone has shut down CCbill for "certain program deficiencies".

somehow I don't think it's fixed yet

Zyber · 10-15-2010, 12:07 AM

Come on guys. Give them some time to fix it.

In 2005 I complained to CCBill that their website was a pain in the ass and not user-friendly to use. Now 5 years later look how much (or nothing) has changed. The website still looks like Web 1.0. However, the CCBill private jet sure does look fine.

Epoch is also weak code. Just try to sign up as an affiliate and notice the bugs in the sign-up form. The programmer didn't know (or was too lazy) to dynamically fill in the SELECT boxes or the RADIO buttons. They lose their values when the form is recreated during the field validation process. With such newbie errors present one can only fear that the same programmer has been to lazy to sanitize inputs other places in the code, thus allowing for SQL injections.

Davy · 10-15-2010, 05:09 AM

The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.

HomerSimpson · 10-15-2010, 05:43 AM

Quote:

Originally Posted by Zyber

Come on guys. Give them some time to fix it.

In 2005 I complained to CCBill that their website was a pain in the ass and not user-friendly to use. Now 5 years later look how much (or nothing) has changed. The website still looks like Web 1.0. However, the CCBill private jet sure does look fine.

Epoch is also weak code. Just try to sign up as an affiliate and notice the bugs in the sign-up form. The programmer didn't know (or was too lazy) to dynamically fill in the SELECT boxes or the RADIO buttons. They lose their values when the form is recreated during the field validation process. With such newbie errors present one can only fear that the same programmer has been to lazy to sanitize inputs other places in the code, thus allowing for SQL injections.

yes, their UI is pure SHIT!
for a few thousand dollars they could re-design the whole site and have
a new fresh look that would pay for it self in matter of days!

candyflip · 10-15-2010, 06:01 AM

Of course it isn't fixed. This is CCBill we're talking about.

As I said up top, they're too busy counting their monies to worry about real issues.

buyandsell · 10-15-2010, 07:59 AM

ccbill still getting hacked eh

CyberHustler · 10-15-2010, 08:03 AM

CCBill, why get this topic locked?
https://gfy.com/showthread.php?t=992256

blackmonsters · 10-15-2010, 08:10 AM

PHP for the WIN.....

....for hackers of course.

LOL!

CYF · 10-15-2010, 11:08 AM

Quote:

Originally Posted by Davy

The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.

it's not bogus.

RonC · 10-15-2010, 11:42 AM

Quote:

Originally Posted by Davy

The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.

This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)

But hey if it is on the Internet it MUST BE TRUE.

End of Story.

Ron C
_________
CEO

CCbill.com
Cavecreek.com

Supz · 10-15-2010, 03:25 PM

Quote:

Originally Posted by closer

Any site can be hacked/cracked,

a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.

In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.

It's good to read that CCBill is looking into it and hope they'll update us with any news.

They are held at a higher standard. CC processors have to be PCI (payment card industry) compliant. Which is a much higher standard beyond normal network security. Same thing with Banks, brokerage firms, hospitals. So on so forth.

signupdamnit · 10-15-2010, 03:38 PM

Quote:

Originally Posted by RonC

This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)

But hey if it is on the Internet it MUST BE TRUE.

End of Story.

Ron C
_________
CEO

CCbill.com
Cavecreek.com

Interesting. I suppose we all should have researched this further before giving it credence.

I see where your team spoke about this months ago:

http://seclists.org/fulldisclosure/2010/Aug/193

Quote:

From: William Bell <williamb () cwie net>
Date: Tue, 17 Aug 2010 03:52:19 +0000

At CCBill we take web application security very seriously. I can assure you that no one in this organization received
any type of disclosure prior to the posting of the vulnerability to this list. It is very easy to reach our Information
Security team at security () ccbill com<mailto:security () ccbill com>. We are working hard to identify the issue in
question and a post will be made here once it is resolved. I ask that the researcher from ariko-security.com please
contact us at the email provided.

William Bell
Director of Information Security
CCBill.com

_______________

I had never heard of these guys before but now I will research them and see if they have tried this in the past with others. If so I will make sure more people know about them.

SwirlsGirl · 10-15-2010, 09:05 PM

Quote:

Originally Posted by RonC

This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)

But hey if it is on the Internet it MUST BE TRUE.

End of Story.

Ron C
_________
CEO

CCbill.com
Cavecreek.com

Hey Ron nice of you to stop in...also nice to meet you by the way. I also know some individuals that have recently been scammed.

There seems to be plenty of that going around these days. If I am not mistaken one of the scammers were of Nigerian origin. Another seems to be of American origin.

I wonder if you would mind posting the contact info or the gmail email account so that some of us may give the nigerian scammers a piece of our mind as well.

You say they created a "fake" security page and tried to extort 10k from you guys for a fix? Man that is pretty crass.

It is also very reassuring to know that all of my data as a client is secure and that you guys take data integrity so seriously.

After all what is really being sold here is confidence and a processing companies success is only as good as its clients confidence in it of said "data integrity"

Please post the contact info for the scammers would love to communicate with them.

Also thanks for the "hey if its on the internet its true" comment, I am still chuckling uncontrollably from that one

epitome · 10-15-2010, 09:59 PM

Quote:

Originally Posted by SwirlsGirl

Hey Ron nice of you to stop in...also nice to meet you by the way. I also know some individuals that have recently been scammed.

There seems to be plenty of that going around these days. If I am not mistaken one of the scammers were of Nigerian origin. Another seems to be of American origin.

I wonder if you would mind posting the contact info or the gmail email account so that some of us may give the nigerian scammers a piece of our mind as well.

You say they created a "fake" security page and tried to extort 10k from you guys for a fix? Man that is pretty crass.

It is also very reassuring to know that all of my data as a client is secure and that you guys take data integrity so seriously.

After all what is really being sold here is confidence and a processing companies success is only as good as its clients confidence in it of said "data integrity"

Please post the contact info for the scammers would love to communicate with them.

Also thanks for the "hey if its on the internet its true" comment, I am still chuckling uncontrollably from that one

Dear Britney,

I am writing today to let you know how awesome you are. Your music is great and it always picks me up when I am down. My cousin is a singer but she is not as good as you.

Remember that one time they asked you in an interview if you were a virgin and you said you were but it turns out you weren't? Well, that was pretty rude of them. Please give me the email address of that interviewer. I'd love to give them a piece of my mind.

Hey Britney, would you mind mailing me back with your concert dates? I'd love to see one of your shows.

Anyway, I feel some sort of closeness with you after writing this. I hope that you'll send me an autographed picture.

Fondly,
Your #1 Fan

plsureking · 10-15-2010, 11:47 PM

Quote:

Originally Posted by RonC

This report was a complete joke. End of Story.

there's too many eager hackers in Russia & China for this to not be a joke..

redwhiteandblue · 10-16-2010, 03:11 AM

Quote:

Originally Posted by Supz

They are held at a higher standard. CC processors have to be PCI (payment card industry) compliant. Which is a much higher standard beyond normal network security. Same thing with Banks, brokerage firms, hospitals. So on so forth.

I worked for an e-commerce company that went through PCI compliance for all its servers and it is extremely thorough, and as I understand it anything that stores CC data has to be PCI compliant.

AdultKing · 10-16-2010, 04:49 AM

Reading this thread had me shaking my head.

Why would you give credence to a company issuing an advisory when they have an about us page like this

Doing a WHOIS on the domain reveals Polish contact details with a hotmail email address. Very professional.

Look at the credibility of the web site - it was registered in 2009 and is obviously, I mean so scammer obviously, bogus.

08-18-2010, 10:35 PM	#51
The Porn Nerd Living The Dream Industry Role: Join Date: Jun 2009 Location: Inside a Monitor Posts: 19,536	FIDDY CCBILL VULNERABILITIES!!! I can't believe I beat Woj to the punch. WooHoo! Ahem. __________________ My Affiliate Programs: Porn Nerd Cash \| Porn Showcase \| Aggressive Gold Over 90 paysites to promote! Now on Teams: peabodymedia

08-19-2010, 11:46 AM	#52
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	still waiting for a ccbill fix. __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

08-19-2010, 12:04 PM	#53
candyflip Carpe Visio Industry Role: Join Date: Jul 2002 Location: New York Posts: 43,057	They are too busy counting their monies. __________________ Spend you some brain. Email Me

08-25-2010, 11:23 PM	#60
Mock NyaMout Confirmed User Join Date: Sep 2009 Posts: 514	I got the answer __________________

09-06-2010, 09:19 PM	#61
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	still no reply? __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

08-24-2010, 11:52 AM	#54
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,405	CCBILL has had this problem for years... Why change anything now?

08-25-2010, 05:39 PM	#57
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,405	Nice script

08-25-2010, 06:32 PM	#58
Axzar Random Jackass Industry Role: Join Date: Feb 2003 Posts: 1,837	Get an alternate merchant account already. Quit paying 15% or more. See Sig Below. Free to Apply.

09-10-2010, 12:33 PM	#63
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	still no reply? __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

09-10-2010, 12:43 PM	#64
Socks Confirmed User Industry Role: Join Date: May 2002 Location: Toronto Posts: 8,475	At one point in time I was aware of how to create logins and passwords on any CCBill site, I believe it worked like a charm. Was years ago though.

09-16-2010, 06:46 AM	#65
May-Netpay Registered User Industry Role: Join Date: Mar 2010 Location: Tel Aviv - Israel Posts: 29	why using CCbill where you can use NetPay international ..a leader in providing on-line, real-time payment processing solutions in a solid, secure and reliable manner. not only secure, but has advanced technology and new payment solution to European customers. contact me for info. May __________________ May Yedidya International Sales Netpay International Ltd [ Office +972 3 612 69 66 Mob +972 52 330 22 23 [email protected] ADULT ONLINE MERCHANT ACCOUNT

09-16-2010, 07:31 AM	#66
MMarko Confirmed User Join Date: Jun 2007 Posts: 160	Again only one who is losing money are affiliates. CCbill gets it's cut, sponsor too. Also problems with CCbill sales started around those dates mentioned in report... __________________ dlXer - web design, developing, managed hosting, website optimizations

10-14-2010, 10:47 AM	#69
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	has this been fixed yet? __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

10-15-2010, 12:07 AM	#72
Zyber Confirmed User Industry Role: Join Date: Aug 2001 Posts: 832	Come on guys. Give them some time to fix it. In 2005 I complained to CCBill that their website was a pain in the ass and not user-friendly to use. Now 5 years later look how much (or nothing) has changed. The website still looks like Web 1.0. However, the CCBill private jet sure does look fine. Epoch is also weak code. Just try to sign up as an affiliate and notice the bugs in the sign-up form. The programmer didn't know (or was too lazy) to dynamically fill in the SELECT boxes or the RADIO buttons. They lose their values when the form is recreated during the field validation process. With such newbie errors present one can only fear that the same programmer has been to lazy to sanitize inputs other places in the code, thus allowing for SQL injections.

10-15-2010, 05:09 AM	#73
Davy Confirmed User Industry Role: Join Date: Apr 2006 Location: Germany Posts: 4,323	The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website. __________________ --- ICQ 14-76-98 <-- I don't use this at all

10-15-2010, 06:01 AM	#75
candyflip Carpe Visio Industry Role: Join Date: Jul 2002 Location: New York Posts: 43,057	Of course it isn't fixed. This is CCBill we're talking about. As I said up top, they're too busy counting their monies to worry about real issues. __________________ Spend you some brain. Email Me

10-15-2010, 07:59 AM	#76
buyandsell Confirmed User Industry Role: Join Date: May 2008 Location: USA Posts: 692	ccbill still getting hacked eh

10-15-2010, 08:03 AM	#77
CyberHustler Unregistered Abuser Industry Role: Join Date: Feb 2006 Posts: 25,463	CCBill, why get this topic locked? https://gfy.com/showthread.php?t=992256

10-15-2010, 08:10 AM	#78
blackmonsters Making PHP work Industry Role: Join Date: Nov 2002 Location: 🌎🌅🌈🌇 Posts: 20,278	PHP for the WIN..... ....for hackers of course. LOL!

10-16-2010, 04:49 AM	#87
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,601	Reading this thread had me shaking my head. Why would you give credence to a company issuing an advisory when they have an about us page like this Doing a WHOIS on the domain reveals Polish contact details with a hotmail email address. Very professional. Look at the credibility of the web site - it was registered in 2009 and is obviously, I mean so scammer obviously, bogus.