I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.
But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!
It really is the fucking wild wild west out here...
why using CCbill where you can use NetPay international ..a leader in providing on-line, real-time payment processing solutions in a solid, secure and reliable manner.
not only secure, but has advanced technology and new payment solution to European customers.
Again only one who is losing money are affiliates. CCbill gets it's cut, sponsor too. Also problems with CCbill sales started around those dates mentioned in report...
dlXer - web design, developing, managed hosting, website optimizations
why using CCbill where you can use NetPay international ..a leader in providing on-line, real-time payment processing solutions in a solid, secure and reliable manner.
not only secure, but has advanced technology and new payment solution to European customers.
In 2005 I complained to CCBill that their website was a pain in the ass and not user-friendly to use. Now 5 years later look how much (or nothing) has changed. The website still looks like Web 1.0. However, the CCBill private jet sure does look fine.
Epoch is also weak code. Just try to sign up as an affiliate and notice the bugs in the sign-up form. The programmer didn't know (or was too lazy) to dynamically fill in the SELECT boxes or the RADIO buttons. They lose their values when the form is recreated during the field validation process. With such newbie errors present one can only fear that the same programmer has been to lazy to sanitize inputs other places in the code, thus allowing for SQL injections.
The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.
In 2005 I complained to CCBill that their website was a pain in the ass and not user-friendly to use. Now 5 years later look how much (or nothing) has changed. The website still looks like Web 1.0. However, the CCBill private jet sure does look fine.
Epoch is also weak code. Just try to sign up as an affiliate and notice the bugs in the sign-up form. The programmer didn't know (or was too lazy) to dynamically fill in the SELECT boxes or the RADIO buttons. They lose their values when the form is recreated during the field validation process. With such newbie errors present one can only fear that the same programmer has been to lazy to sanitize inputs other places in the code, thus allowing for SQL injections.
yes, their UI is pure SHIT!
for a few thousand dollars they could re-design the whole site and have
a new fresh look that would pay for it self in matter of days!
“If you can convince the lowest white man he’s better than the best colored man, he won’t notice you’re picking his pocket. Hell, give him somebody to look down on, and he’ll empty his pockets for you.”
The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.
The website looks bogus. If it was possible to write to CCBill's server, the easiest way to alert CCBill about the problem would be to deface their website.
This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)
a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.
In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.
It's good to read that CCBill is looking into it and hope they'll update us with any news.
They are held at a higher standard. CC processors have to be PCI (payment card industry) compliant. Which is a much higher standard beyond normal network security. Same thing with Banks, brokerage firms, hospitals. So on so forth.
This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)
But hey if it is on the Internet it MUST BE TRUE.
End of Story.
Ron C
_________
CEO
CCbill.com
Cavecreek.com
Interesting. I suppose we all should have researched this further before giving it credence.
I see where your team spoke about this months ago:
From: William Bell <williamb () cwie net>
Date: Tue, 17 Aug 2010 03:52:19 +0000
At CCBill we take web application security very seriously. I can assure you that no one in this organization received
any type of disclosure prior to the posting of the vulnerability to this list. It is very easy to reach our Information
Security team at security () ccbill com<mailto:security () ccbill com>. We are working hard to identify the issue in
question and a post will be made here once it is resolved. I ask that the researcher from ariko-security.com please
contact us at the email provided.
William Bell
Director of Information Security
CCBill.com
_______________
I had never heard of these guys before but now I will research them and see if they have tried this in the past with others. If so I will make sure more people know about them.
Last edited by signupdamnit; 10-15-2010, 02:39 PM.
You don't like my posts? Put me on ignore or fuck right off. I'll say what I want.
This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would "Western Union" them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL)
But hey if it is on the Internet it MUST BE TRUE.
End of Story.
Ron C
_________
CEO
CCbill.com
Cavecreek.com
Hey Ron nice of you to stop in...also nice to meet you by the way. I also know some individuals that have recently been scammed.
There seems to be plenty of that going around these days. If I am not mistaken one of the scammers were of Nigerian origin. Another seems to be of American origin.
I wonder if you would mind posting the contact info or the gmail email account so that some of us may give the nigerian scammers a piece of our mind as well.
You say they created a "fake" security page and tried to extort 10k from you guys for a fix? Man that is pretty crass.
It is also very reassuring to know that all of my data as a client is secure and that you guys take data integrity so seriously.
After all what is really being sold here is confidence and a processing companies success is only as good as its clients confidence in it of said "data integrity"
Please post the contact info for the scammers would love to communicate with them.
Also thanks for the "hey if its on the internet its true" comment, I am still chuckling uncontrollably from that one
Hey Ron nice of you to stop in...also nice to meet you by the way. I also know some individuals that have recently been scammed.
There seems to be plenty of that going around these days. If I am not mistaken one of the scammers were of Nigerian origin. Another seems to be of American origin.
I wonder if you would mind posting the contact info or the gmail email account so that some of us may give the nigerian scammers a piece of our mind as well.
You say they created a "fake" security page and tried to extort 10k from you guys for a fix? Man that is pretty crass.
It is also very reassuring to know that all of my data as a client is secure and that you guys take data integrity so seriously.
After all what is really being sold here is confidence and a processing companies success is only as good as its clients confidence in it of said "data integrity"
Please post the contact info for the scammers would love to communicate with them.
Also thanks for the "hey if its on the internet its true" comment, I am still chuckling uncontrollably from that one
Dear Britney,
I am writing today to let you know how awesome you are. Your music is great and it always picks me up when I am down. My cousin is a singer but she is not as good as you.
Remember that one time they asked you in an interview if you were a virgin and you said you were but it turns out you weren't? Well, that was pretty rude of them. Please give me the email address of that interviewer. I'd love to give them a piece of my mind.
Hey Britney, would you mind mailing me back with your concert dates? I'd love to see one of your shows.
Anyway, I feel some sort of closeness with you after writing this. I hope that you'll send me an autographed picture.
They are held at a higher standard. CC processors have to be PCI (payment card industry) compliant. Which is a much higher standard beyond normal network security. Same thing with Banks, brokerage firms, hospitals. So on so forth.
I worked for an e-commerce company that went through PCI compliance for all its servers and it is extremely thorough, and as I understand it anything that stores CC data has to be PCI compliant.
Comment