# CCAvenue Gateway Hacked



## krishnandu.sarkar (May 5, 2011)

> CCAvenue, one of the largest online Payment gateways of India, has been compromised by a hacker who goes by the name d3hydr8.
> 
> 
> 
> ...



Source : CCAvenue, Indiaâ€™s Payment Gateway gets hacked. CEO cries foul - TNW India

WTH??? How they can store passwords in plain text and SQL Injection?? They are not even this much secure 

Not going to use it anymore...


----------



## asingh (May 5, 2011)

I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.

How can you not use it, most gateways go via CC Avenue.


----------



## Vyom (May 5, 2011)

The more I hear of such hacks, more I start to believe of the impending doom of 2012!

OMG! That's just not happening dude!!! CCAvenue!  

My telephone bill, railway ticket booking... and even the recent digit subcription I did.. was all through the CCAvenue! 

I dont want to spread panic... but...     We are DOOMED!


----------



## baccilus (May 5, 2011)

Where did 2012 come into this? Common man. From what I have seen, I have only ever entered passwords in the SBI site. Never in CCavenue site. But I will still keep an eye on my bank account.


----------



## ico (May 5, 2011)

This is ridiculous. Plain text?


----------



## furious_gamer (May 5, 2011)

CCAvenue is a bunch of fools to store password as plaintext. Even a small company will encrypt the password and store it.

BTW In my prev company we used CCAvenue. Too bad such famous PG provider doomed  by simple SQL injection, which a school going kid can do.


----------



## Pratul_09 (May 5, 2011)

asingh said:


> I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.
> 
> How can you not use it, most gateways go via CC Avenue.



thinkdigit also uses the same gateway, this is hightime we look after the security aspect of payment gateways. before making a purchase we must verify the security. 

Verisign certified.


----------



## furious_gamer (May 5, 2011)

They are already hacked a few before IIRC.


----------



## Vyom (May 5, 2011)

So how many options we have other than CCAvenue?
And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?


----------



## iinfi (May 5, 2011)

i dont think this news is true ....


----------



## krishnandu.sarkar (May 5, 2011)

Well, asingh is right, max. vendors use CCAvenue as their payment gateway, no idea what should we do next. 



vineet369 said:


> So how many options we have other than CCAvenue?
> And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?



SQL injection - Wikipedia, the free encyclopedia



iinfi said:


> i dont think this news is true ....



Dude, read the news, CCAvenue themselves accepted it, and the source is not fake, it's reliable.


----------



## Vyom (May 5, 2011)

> “More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”



Reading the above quote, I am relieved again. Since most of my transactions are through Net Banking


----------



## krishnandu.sarkar (May 5, 2011)

Yes, that's right, but I think I've used CC few times. Can't remember though.


----------



## gagan007 (May 6, 2011)

me too..and I have used credit card all the time


----------



## dreatica (May 6, 2011)

krishnandu.sarkar said:


> Yes, that's right, but I think I've used CC few times. Can't remember though.



Me too ? So after all the hype of PSN, and now ccavenue. The last payment made for digit subscription, 2 weeks back.


----------



## krishnandu.sarkar (May 6, 2011)

So what should we do now?? Is there anything that we can do??

I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.


----------



## dreatica (May 6, 2011)

krishnandu.sarkar said:


> So what should we do now?? Is there anything that we can do??
> 
> I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.



thats what I also want to know ? What to do know ? Call the bank and ask them to cancel my cc ? 

Now, I remember I make the electricity, water, phone and god knows what else through ccavenue.

@krishnandu.sarkar I get the master secure code page whenever I make the payments. Why you don't get it ?


----------



## buddyram (May 6, 2011)

This January i renewed my digit subscription through the same CCAvenue. I got a message stating that the login details which i entered would be transferred through an unencrypted channel. I was apprehensive about that but still there was no other go, trusting digit i carried on with the payment!


----------



## krishnandu.sarkar (May 6, 2011)

^^Yup that's right, whenever I bought anything, after making payment through SBI Net Banking, when it redirects it says it's going to send the data through unencrypted channel, and I used to go with it. And I guess many of us did that too.

@dreatica I've no idea, I registered for Mastercard Secure Code at the very beginning after getting my Card, but never asked for that while making payment. I can't remember particular services I used but it never asked for that password. I guess not all sites are compatible with it, so the sites which are compatible with it, asks for the password, others just make the transaction normally. One I can remember is Vodafone.in which I use for my recharge needs.


----------



## gagan007 (May 6, 2011)

@dreatica: for some gateways it doesn't ask the password..I am not sure why!


----------



## Thor (May 6, 2011)

Krishnandu , thanks for bringing this to our notice.

This is such a setback now.  Just when people of India were getting in the thick of things when it comes to the online shopping , transactions etc , CCAvenue , one of the most used and trusted Payment Gateway craps on our confidence . This is just horrible. Most of the time I have used HDFC Netsafe card which is good for only 1 transaction , looks like thats the way to go from now onwards. 

This incident has now made me wonder, how secure really is Online shopping / marketing in Indian sites . If a payment gateways site can be hacked ( because of their earth shattering stupidity, negligence, etc etc ) , can the shopping portals be trusted ?


----------



## Garbage (May 6, 2011)

Updated: CCAvenue CEO Vishwas Patel Denies Authenticity Of Hacking Report; Claims Mischief - MediaNama


----------



## furious_gamer (May 6, 2011)

^^ looks conflicting. They claim they updated their server 5 months back but reports saying that its done very recently. Shame on CCAvenue


----------



## asingh (May 6, 2011)

Payment Gateway CCAvenue Hacked [Updated/Open Questions]


----------



## krishnandu.sarkar (May 6, 2011)

Thor said:


> Krishnandu , thanks for bringing this to our notice.



Welcome, But I didn't find this, I got the news from other forum and thought of sharing here too.


----------



## dreatica (May 6, 2011)

So what are these store passwords ? I never made any userid to use ccavenue ? Is this employee's database ?

*www.hackerregiment.com/wp-content/uploads/2011/05/ccavenue_passwords.jpg

and the ccavenue peoples are lying that they updated the apache 5 months back. They have updated yesterday :

Netcraft What's That Site Running Results


----------



## krishnandu.sarkar (May 6, 2011)

Yes, they are the admin passwords. Not of users.

I guess their N/W admins are too noob to know that these things can be find out easily


----------



## dreatica (May 6, 2011)

Check this out :

Updated: CCAvenue CEO Vishwas Patel Denies Authenticity Of Hacking Report; Claims Mischief - MediaNama

The credit card numbers are not stored anywhere in our database, as per PCI norms. *Only the first six and last 4 card numbers of the last 15 days are stored. And those are also BSI encrypted*, for which there is a key, and to open that there is a master key, and those keys are not stored online anywhere. It is there with our head of security, who is the only person with access to it. The encryption has been in place on our servers for the last four years.

I made the last payment from ccavenue to digit on 18th, If the last 15 days is true, my A@@ is saved coz I just bump it for 16 day as the database was hacked on 4th may.


----------



## sygeek (May 9, 2011)

CCAvenue hacked by SQL Injection...I mean WTF? Never realised CCAvenue would be this insecure, and to add to the stupidity, all the database of admin's login information was stored in plain text


----------



## doomgiver (May 9, 2011)

lol, even script kiddies can do a sql inject.

are these the people to whom we trust our money?


----------



## anubisX (May 10, 2011)

I'm worried now  What kinda security CCAvenue uses ? Stupid !!


----------



## newway01 (May 10, 2011)

Damn..Is there some problem we should be worried about? I am using ccavenue every now and then..Last time used was a day before for online purchase


----------



## Vyom (May 10, 2011)

I dont think, there is a problem to be worried about, if you don't use your card to shop, and rather use online banking. 
But it only holds true, if their (CCAvenue's) words are to be believed.


----------



## KDroid (May 10, 2011)

What happened to the security they used to boast off?


----------



## furious_gamer (May 10, 2011)

^^ lol. Don't even say that. They are attacked by SQL injection.


----------



## KDroid (May 10, 2011)

Yeah I know that!  It was a kind of sarcastic comment!


----------



## PraKs (May 10, 2011)

newway01 said:


> Damn..Is there some problem we should be worried about? I am using ccavenue every now and then..Last time used was a day before for online purchase



Check the data which is leaked, You may find your user ID & password there


----------



## sygeek (May 10, 2011)

^  lmao


----------



## gagan007 (May 23, 2011)

even now for pre-order of anniversary issue Digit is using CCAvenue gateway!


----------



## Vyom (May 23, 2011)

I think we should talk directly to the editor about this:
*www.thinkdigit.com/forum/feedback/123086-editors-desk-13.html


----------



## buddyram (May 23, 2011)

gagan007 said:


> even now for pre-order of anniversary issue Digit is using CCAvenue gateway!



  Yeah! Trust Digit Guys!


----------



## Vyom (May 23, 2011)

^ It's not the matter to trust digit! We have full trust in them.
But what would you do, if someone hacked the *medium *by which the transactions are performed between you and them?
Even they can't help it, in such cases!


----------



## buddyram (May 23, 2011)

Yes. I agree with you.
if digit is using it, then it must have been a reliable means. if we are aware of gateway hacking in CCAvenue, then obviously "*digit guys*" must be knowing it!
I hope something would/should be done soon.


----------



## Garbage (May 24, 2011)

buddyram said:


> *if digit is using it, then it must have been a reliable means*. if we are aware of gateway hacking in CCAvenue, then obviously "digit guys"* must* be knowing it!




Blind followers!


----------



## ico (May 24, 2011)

buddyram said:


> Yes. I agree with you.
> if digit is using it, then it must have been a reliable means. if we are aware of gateway hacking in CCAvenue, then obviously "*digit guys*" must be knowing it!
> I hope something would/should be done soon.


Honestly, there is nothing like if X is using it...then it is/must-have-been reliable.

It appeared reliable to everyone and even me, but not now as we know it was designed by novice people.


----------



## Tejas.Gupta (May 25, 2011)

Atleast they could have used MD5 hashes :/


----------



## suyash_123 (May 26, 2011)

hi all,
my site was also infected / hacked by Sql injection methord.
till date i dont know waht was Sql injection ( i used Asp site)

Sql injection usually happens when we write Sql queries (which is used to access database) directly In Asp (front end ) code.

examle : select * from table1 where NameId = ' selec

SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = 'myname' + 'INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--'

likewise they insert query in query and Get data or insert data and update too...

I did that in whole website and have to make site down for a Week to remove this issue.

solution was : to make as muck as store procedures and avoid Sql quires inline in code.
also use Regular expressions to remove special charactres lIke  " ' "

this ' syambaol is very very very dangerous to SQL database and use differtn ways to Compramist it By repalcing ' with '' or etc etc.


as My Site was not Payment supported i was safe.
But Man sql injection On Payment gate Way is A Big S#it on face.
they must  be very very secure By suing Numerous algorithms and ssl etc.

but They are saving password son text format ha ah ha useless

i m unsafe Now....


----------



## Garbage (May 30, 2011)

[offtopic]
@Suyash_123,
No offense man, but it was really hard to read your post. I think you should read this

And sorry for your site. 
[/offtopic]


----------

