CCBill.com multiple vulnerabilities
 

Found this on the full disclosure mailing list:

It's possible to get all customers FULL personal details, server admins
etc...

Also is possible to read any file from ccbill.com and write to this
server too.

Pretty shitty vulnerability if you ask me.

Jesus, that is one hell of an vulnerability.

serious stuff...

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

does that mean that it hasn't been patched up yet?

Most likely... :2 cents:

Yeah, who knows...

I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.

They had so many, they stopped caring :)

In before the lock?

Get on it CCbill.

I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.

But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!

It really is the fucking wild wild west out here...

I bet this thread is gonna be locked down and thrown away.

it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
every hole needs to be filled in somehow and quarterly scans are required.

now i have not verified this myself, but i'm guessing that its bogus.

Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

bogus? Why would you think that?

Are all these other exploits they found bogus too?

http://www.ariko-security.com/index-7.html

Hell I am no programmer, but I can attest that it appears that if they are not guilty of any fraud them selves, then some one has hacked them and been able to do a lot of things that have caused many webmasters to question the integrity of the data.

Of course for the past year and a half all ccbill has done was assure everyone that what they were seeing (Bizarre to say the least stats anomalies) was their imagination, and have there schills come into gfy and attack anyone raising serious questions!

Even if this post is found to be true, the majority of the industry is so brain washed and gullible, they will not believe or care that they could have been getting the fuzzy end of the lolipop

We are and have been looking into this.

Classic, but you would have others think I am just starting drama, tell me If this is found out to be true, will you come back in and apologize as an honorable person would?

I mean you guys at ccbill are so honorable, professional, and courteous. Something tells me not to hold my breath....


OH I KNOW.......................

ITS JUST A BUG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LOL

Makes you start to wonder about some of those zero sales days really being zero sales days, especially when your back up processors are having sales flurries

:2 cents: :thumbsup

Lmk when all is good ;). Lol

Good point. :thumbsup Not really sure what needs to be done, but something clearly needs addressing.

100s of affiliates/program owners have been creating thread after thread all with similar issues. Making a statement, "Everything is fine on our end" doesn't seem to be an amicable solution anymore.

only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

-Loki-

Thread bookmarked.

Concatenated strings are not vocabulary.

I can also promise you that ccbill is owned beyond the owners.

I love that one :thumbsup

it doesn't make any sense = it's senseless :2 cents:

Sounds like there's a few issues to deal with this week.

ugh!

http://languagejunkie.com/wp-content...id-michael.jpg

Anything more from CCBill?

If this is a real concern it should be forwarded to PCI. Request that a SAS 70 report be created.

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

Any site can be hacked/cracked,

a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.

In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.

It's good to read that CCBill is looking into it and hope they'll update us with any news.

I think this is a separate issue.

bump for a serious issue.

Looking forward to hearing the reply.

F.U.D.

Leave CCBill alone, NATS is shit

So this isn't a serious vulnerability? How do you figure?

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

How does this have anything to do with Nats? It's one thing to discredit the claim it's another to bring in another company that has nothing to do with this topic.

ROFL. god you're clueless :1orglaugh

...and out come the people who get paid to bash CCBill

LOL that really shows how clueless you are. How am I paid to bash Ccbill? I've used them for more than 10 years now.

that's pretty clueless dude :1orglaugh

and no, I'm not paid to bash CCBill.

This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase. :helpme:

:2 cents:

Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"

somehow I doubt it.

So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?

That would be a "no".