CCBill.com multiple vulnerabilities

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • CYF
    Coupon Guru
    • Mar 2009
    • 10973

    #1

    CCBill.com multiple vulnerabilities

    Found this on the full disclosure mailing list:

    We want to warn you about security vulnerabilities in CCBILL.COM
    Internet billing service.

    CCBill is an Internet billing service. Established in 1998, the company
    provides third-party billing, or turn-key solutions, for e-Merchants
    requiring payments by way of credit card, debit card, or e-check,
    European Debit/Direct Pay, and telephone payment.

    Since Ccbill is a privately held company little is known about it's
    finances however it is estimated that more than a billion dollars per
    year in credit card charges are processed through Ccbill in the us and
    abroad.

    Time Table:
    # 20/07/2010 We have found multiple Blind SQL injections.

    # 30/07/2010 - Vendor notified. / no response
    # 03/08/2010 - Vendor notified. / no response
    # 10/08/2010 - Vendor notified. / no response

    CCBILL.COM vulnerability:

    Multiple blind SQL injections

    It's possible to get all customers FULL personal details, server admins
    etc...

    Also is possible to read any file from ccbill.com and write to this
    server too.

    JPG sample tables proof:
    http://www.ariko-security.com/images/ccbill_proof1.jpg

    Credit:
    # Discoverd By: MG / Ariko-Security 2010
    # http://advisories.ariko-security.com...nstwa_719.html
    Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
    AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

  • CYF
    Coupon Guru
    • Mar 2009
    • 10973

    #2
    It's possible to get all customers FULL personal details, server admins
    etc...

    Also is possible to read any file from ccbill.com and write to this
    server too.


    Pretty shitty vulnerability if you ask me.
    Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
    AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

    Comment

    • Ethersync
      Confirmed User
      • Mar 2008
      • 5289

      #3
      Jesus, that is one hell of an vulnerability.
      The best ePassporte replacement I have found: OKPAY

      Comment

      • woj
        <&(©¿©)&>
        • Jul 2002
        • 47882

        #4
        serious stuff...

        # 30/07/2010 - Vendor notified. / no response
        # 03/08/2010 - Vendor notified. / no response
        # 10/08/2010 - Vendor notified. / no response

        does that mean that it hasn't been patched up yet?
        Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
        Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
        Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

        Comment

        • Ethersync
          Confirmed User
          • Mar 2008
          • 5289

          #5
          Originally posted by woj
          serious stuff...

          # 30/07/2010 - Vendor notified. / no response
          # 03/08/2010 - Vendor notified. / no response
          # 10/08/2010 - Vendor notified. / no response

          does that mean that it hasn't been patched up yet?
          Most likely...
          The best ePassporte replacement I have found: OKPAY

          Comment

          • NetHorse
            Confirmed User
            • Dec 2006
            • 3526

            #6
            Yeah, who knows...

            I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.
            ┌∩┐(◣_◢)┌∩┐
            ICQ # 427013273

            Comment

            • ladida
              Confirmed User
              • Nov 2005
              • 2179

              #7
              They had so many, they stopped caring
              agentGFY *at* gmail.com

              Comment

              • DWB
                Registered User
                • Jul 2003
                • 31779

                #8
                In before the lock?

                Get on it CCbill.

                Comment

                • BFT3K
                  Too lazy to set a custom title
                  • Dec 2005
                  • 10764

                  #9
                  I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.

                  But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!

                  It really is the fucking wild wild west out here...
                  Last edited by BFT3K; 08-16-2010, 05:44 PM.

                  Comment

                  • TheSenator
                    Too lazy to set a custom title
                    • Feb 2003
                    • 13340

                    #10
                    I bet this thread is gonna be locked down and thrown away.
                    ISeekGirls.com since 2005

                    Comment

                    • myneid
                      Confirmed User
                      • Jan 2003
                      • 736

                      #11
                      it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
                      every hole needs to be filled in somehow and quarterly scans are required.

                      now i have not verified this myself, but i'm guessing that its bogus.
                      Tanguy 0x7a69 inc. Programmer/President/CEO
                      http://www.0x7a69.com
                      A Leader in Programming since 1996
                      PHP, Ruby on Rails, MySQL, PCI DSS, and any Technical Consulting

                      Comment

                      • BittieBucks Eric
                        Confirmed User
                        • Aug 2010
                        • 457

                        #12
                        Originally posted by NetHorse
                        Yeah, who knows...

                        I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.
                        Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

                        Bittie Bucks - Upto 70% Revshare - CCBill Cascading Program - 10% Webmaster Referral
                        [email protected] - ICQ - 594415957


                        Need Content TRASHY CONTENT

                        Comment

                        • CYF
                          Coupon Guru
                          • Mar 2009
                          • 10973

                          #13
                          Originally posted by myneid
                          it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
                          every hole needs to be filled in somehow and quarterly scans are required.

                          now i have not verified this myself, but i'm guessing that its bogus.
                          bogus? Why would you think that?
                          Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                          AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                          Comment

                          • Ethersync
                            Confirmed User
                            • Mar 2008
                            • 5289

                            #14
                            Originally posted by myneid
                            now i have not verified this myself, but i'm guessing that its bogus.
                            Are all these other exploits they found bogus too?

                            http://www.ariko-security.com/index-7.html
                            The best ePassporte replacement I have found: OKPAY

                            Comment

                            • SwirlsGirl
                              So Fucking Banned
                              • Feb 2006
                              • 2067

                              #15
                              Hell I am no programmer, but I can attest that it appears that if they are not guilty of any fraud them selves, then some one has hacked them and been able to do a lot of things that have caused many webmasters to question the integrity of the data.

                              Of course for the past year and a half all ccbill has done was assure everyone that what they were seeing (Bizarre to say the least stats anomalies) was their imagination, and have there schills come into gfy and attack anyone raising serious questions!

                              Even if this post is found to be true, the majority of the industry is so brain washed and gullible, they will not believe or care that they could have been getting the fuzzy end of the lolipop

                              Comment

                              • CCBill Paul
                                Confirmed User
                                • Feb 2004
                                • 1005

                                #16
                                We are and have been looking into this.
                                Paulk @ CCBill.com | icq 248615940

                                Comment

                                • SwirlsGirl
                                  So Fucking Banned
                                  • Feb 2006
                                  • 2067

                                  #17
                                  Originally posted by CCBill Paul
                                  We are and have been looking into this.
                                  Classic, but you would have others think I am just starting drama, tell me If this is found out to be true, will you come back in and apologize as an honorable person would?

                                  I mean you guys at ccbill are so honorable, professional, and courteous. Something tells me not to hold my breath....


                                  OH I KNOW.......................

                                  ITS JUST A BUG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LOL

                                  Comment

                                  • SwirlsGirl
                                    So Fucking Banned
                                    • Feb 2006
                                    • 2067

                                    #18
                                    Makes you start to wonder about some of those zero sales days really being zero sales days, especially when your back up processors are having sales flurries

                                    Comment

                                    • BFT3K
                                      Too lazy to set a custom title
                                      • Dec 2005
                                      • 10764

                                      #19

                                      Comment

                                      • mmcfadden
                                        So Fucking Banned
                                        • Oct 2008
                                        • 5099

                                        #20
                                        Originally posted by CCBill Paul
                                        We are and have been looking into this.
                                        Lmk when all is good ;). Lol

                                        Comment

                                        • NetHorse
                                          Confirmed User
                                          • Dec 2006
                                          • 3526

                                          #21
                                          Originally posted by BittieBucks Eric
                                          Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?
                                          Good point. Not really sure what needs to be done, but something clearly needs addressing.

                                          100s of affiliates/program owners have been creating thread after thread all with similar issues. Making a statement, "Everything is fine on our end" doesn't seem to be an amicable solution anymore.
                                          ┌∩┐(◣_◢)┌∩┐
                                          ICQ # 427013273

                                          Comment

                                          • Loki
                                            Confirmed User
                                            • Feb 2004
                                            • 4420

                                            #22
                                            only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

                                            and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

                                            I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

                                            -Loki-
                                            MAKE MONEY WITH 3D TOONS!
                                            Need hosting? LokiCa$h Uses Amerinoc and love them!
                                            Skype: LokiPorn Or Email 3dloki|at|gmail.com

                                            Comment

                                            • The Ghost
                                              IslandDollars.com
                                              • Oct 2004
                                              • 12188

                                              #23
                                              Thread bookmarked.
                                              ISLAND DOLLARS
                                              1000's of Exclusive TS scenes / Constant Updates
                                              Best TS Network your surfers will ever join

                                              Comment

                                              • elitelist
                                                So Fucking Banned
                                                • Aug 2002
                                                • 210

                                                #24
                                                Originally posted by Loki
                                                only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

                                                and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

                                                I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

                                                -Loki-
                                                Concatenated strings are not vocabulary.

                                                I can also promise you that ccbill is owned beyond the owners.

                                                Comment

                                                • rowan
                                                  Too lazy to set a custom title
                                                  • Mar 2002
                                                  • 17393

                                                  #25

                                                  Comment

                                                  • CYF
                                                    Coupon Guru
                                                    • Mar 2009
                                                    • 10973

                                                    #26
                                                    Originally posted by rowan
                                                    I love that one
                                                    Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                    AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                    Comment

                                                    • MrDeiz
                                                      • May 2008
                                                      • 9802

                                                      #27
                                                      Originally posted by CCBill Paul
                                                      We are and have been looking into this.
                                                      it doesn't make any sense = it's senseless
                                                      Make money with WEBC$MS
                                                      The only way to still make money in adult

                                                      Comment

                                                      • LeRoy
                                                        Porn Pusher
                                                        • Jul 2007
                                                        • 13364

                                                        #28
                                                        Sounds like there's a few issues to deal with this week.

                                                        ugh!
                                                        JAPANESE CAMS AND CONTENT SITES
                                                        Teams - leroy.rowland2
                                                        Telegram - @lroddd

                                                        Comment

                                                        • DWB
                                                          Registered User
                                                          • Jul 2003
                                                          • 31779

                                                          #29
                                                          Originally posted by myneid
                                                          every hole needs to be filled

                                                          Comment

                                                          • Beerbar
                                                            Confirmed User
                                                            • Oct 2004
                                                            • 145

                                                            #30
                                                            Anything more from CCBill?

                                                            Comment

                                                            • NetHorse
                                                              Confirmed User
                                                              • Dec 2006
                                                              • 3526

                                                              #31
                                                              If this is a real concern it should be forwarded to PCI. Request that a SAS 70 report be created.
                                                              Last edited by NetHorse; 08-17-2010, 11:59 AM.
                                                              ┌∩┐(◣_◢)┌∩┐
                                                              ICQ # 427013273

                                                              Comment

                                                              • Ethersync
                                                                Confirmed User
                                                                • Mar 2008
                                                                • 5289

                                                                #32
                                                                Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/
                                                                The best ePassporte replacement I have found: OKPAY

                                                                Comment

                                                                • closer
                                                                  Confirmed User
                                                                  • Sep 2005
                                                                  • 1707

                                                                  #33
                                                                  Any site can be hacked/cracked,

                                                                  a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.

                                                                  In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.

                                                                  It's good to read that CCBill is looking into it and hope they'll update us with any news.

                                                                  Comment

                                                                  • CYF
                                                                    Coupon Guru
                                                                    • Mar 2009
                                                                    • 10973

                                                                    #34
                                                                    Originally posted by Ethersync
                                                                    Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/
                                                                    I think this is a separate issue.
                                                                    Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                    AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                    Comment

                                                                    • CYF
                                                                      Coupon Guru
                                                                      • Mar 2009
                                                                      • 10973

                                                                      #35
                                                                      bump for a serious issue.
                                                                      Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                      AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                      Comment

                                                                      • Shap
                                                                        Confirmed User
                                                                        • May 2001
                                                                        • 8313

                                                                        #36
                                                                        Looking forward to hearing the reply.

                                                                        Comment

                                                                        • cambaby
                                                                          So Fucking Banned
                                                                          • Feb 2003
                                                                          • 3141

                                                                          #37
                                                                          F.U.D.

                                                                          Leave CCBill alone, NATS is shit

                                                                          Comment

                                                                          • CYF
                                                                            Coupon Guru
                                                                            • Mar 2009
                                                                            • 10973

                                                                            #38
                                                                            Originally posted by cambaby
                                                                            F.U.D.

                                                                            Leave CCBill alone, NATS is shit
                                                                            So this isn't a serious vulnerability? How do you figure?
                                                                            Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                            AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                            Comment

                                                                            • cambaby
                                                                              So Fucking Banned
                                                                              • Feb 2003
                                                                              • 3141

                                                                              #39
                                                                              Originally posted by CYF
                                                                              So this isn't a serious vulnerability? How do you figure?
                                                                              There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

                                                                              Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

                                                                              Comment

                                                                              • Shap
                                                                                Confirmed User
                                                                                • May 2001
                                                                                • 8313

                                                                                #40
                                                                                Originally posted by cambaby
                                                                                F.U.D.

                                                                                Leave CCBill alone, NATS is shit
                                                                                How does this have anything to do with Nats? It's one thing to discredit the claim it's another to bring in another company that has nothing to do with this topic.

                                                                                Comment

                                                                                • ladida
                                                                                  Confirmed User
                                                                                  • Nov 2005
                                                                                  • 2179

                                                                                  #41
                                                                                  Originally posted by cambaby
                                                                                  There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

                                                                                  Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.
                                                                                  ROFL. god you're clueless
                                                                                  agentGFY *at* gmail.com

                                                                                  Comment

                                                                                  • cambaby
                                                                                    So Fucking Banned
                                                                                    • Feb 2003
                                                                                    • 3141

                                                                                    #42
                                                                                    ...and out come the people who get paid to bash CCBill

                                                                                    Comment

                                                                                    • Shap
                                                                                      Confirmed User
                                                                                      • May 2001
                                                                                      • 8313

                                                                                      #43
                                                                                      Originally posted by cambaby
                                                                                      ...and out come the people who get paid to bash CCBill
                                                                                      LOL that really shows how clueless you are. How am I paid to bash Ccbill? I've used them for more than 10 years now.

                                                                                      Comment

                                                                                      • CYF
                                                                                        Coupon Guru
                                                                                        • Mar 2009
                                                                                        • 10973

                                                                                        #44
                                                                                        Originally posted by cambaby
                                                                                        There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

                                                                                        Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.
                                                                                        that's pretty clueless dude

                                                                                        and no, I'm not paid to bash CCBill.
                                                                                        Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                                        AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                                        Comment

                                                                                        • rowan
                                                                                          Too lazy to set a custom title
                                                                                          • Mar 2002
                                                                                          • 17393

                                                                                          #45
                                                                                          Originally posted by Ethersync
                                                                                          Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/
                                                                                          This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase. :

                                                                                          Comment

                                                                                          • CYF
                                                                                            Coupon Guru
                                                                                            • Mar 2009
                                                                                            • 10973

                                                                                            #46
                                                                                            Originally posted by rowan
                                                                                            This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase. :
                                                                                            Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                                            AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                                            Comment

                                                                                            • NinjaSteve
                                                                                              Too lazy to set a custom title
                                                                                              • Dec 2003
                                                                                              • 11089

                                                                                              #47
                                                                                              Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"
                                                                                              ...

                                                                                              Comment

                                                                                              • CYF
                                                                                                Coupon Guru
                                                                                                • Mar 2009
                                                                                                • 10973

                                                                                                #48
                                                                                                Originally posted by NinjaSteve
                                                                                                Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"
                                                                                                somehow I doubt it.
                                                                                                Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                                                                                AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                                                                                Comment

                                                                                                • Kelli58
                                                                                                  Confirmed User
                                                                                                  • Aug 2006
                                                                                                  • 2253

                                                                                                  #49
                                                                                                  So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?
                                                                                                  💎 Earn Money by Helping Content Creators Earn More. 💎 The most unique affiliate program in the game. There are more than 1.5 million OnlyFans creators. Here's your chance to make money from them!

                                                                                                  Comment

                                                                                                  • The Porn Nerd
                                                                                                    Living The Dream
                                                                                                    • Jun 2009
                                                                                                    • 19787

                                                                                                    #50
                                                                                                    Originally posted by Kelli58
                                                                                                    So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?
                                                                                                    That would be a "no".
                                                                                                    My Affiliate Programs:
                                                                                                    Porn Nerd Cash | Porn Showcase | Aggressive Gold

                                                                                                    Over 90 paysites to promote!
                                                                                                    Now on Teams: peabodymedia

                                                                                                    Comment

                                                                                                    Working...