CCBill.com multiple vulnerabilities - GoFuckYourself.com

CYF · 08-16-2010, 05:27 PM

Found this on the full disclosure mailing list:

Quote:

We want to warn you about security vulnerabilities in CCBILL.COM
Internet billing service.

CCBill is an Internet billing service. Established in 1998, the company
provides third-party billing, or turn-key solutions, for e-Merchants
requiring payments by way of credit card, debit card, or e-check,
European Debit/Direct Pay, and telephone payment.

Since Ccbill is a privately held company little is known about it's
finances however it is estimated that more than a billion dollars per
year in credit card charges are processed through Ccbill in the us and
abroad.

Time Table:
# 20/07/2010 We have found multiple Blind SQL injections.

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

CCBILL.COM vulnerability:

Multiple blind SQL injections

It's possible to get all customers FULL personal details, server admins
etc...

Also is possible to read any file from ccbill.com and write to this
server too.

JPG sample tables proof:
http://www.ariko-security.com/images/ccbill_proof1.jpg

Credit:
# Discoverd By: MG / Ariko-Security 2010
# http://advisories.ariko-security.com...nstwa_719.html

CYF · 08-16-2010, 06:10 PM

It's possible to get all customers FULL personal details, server admins
etc...

Also is possible to read any file from ccbill.com and write to this
server too.

Pretty shitty vulnerability if you ask me.

Ethersync · 08-16-2010, 06:16 PM

Jesus, that is one hell of an vulnerability.

woj · 08-16-2010, 06:17 PM

serious stuff...

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

does that mean that it hasn't been patched up yet?

Ethersync · 08-16-2010, 06:18 PM

Quote:

Originally Posted by woj

serious stuff...

# 30/07/2010 - Vendor notified. / no response
# 03/08/2010 - Vendor notified. / no response
# 10/08/2010 - Vendor notified. / no response

does that mean that it hasn't been patched up yet?

Most likely...

NetHorse · 08-16-2010, 06:19 PM

Yeah, who knows...

I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.

ladida · 08-16-2010, 06:20 PM

They had so many, they stopped caring

DWB · 08-16-2010, 06:24 PM

In before the lock?

Get on it CCbill.

BFT3K · 08-16-2010, 06:33 PM

I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues.

But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents!

It really is the fucking wild wild west out here...

TheSenator · 08-16-2010, 06:37 PM

I bet this thread is gonna be locked down and thrown away.

myneid · 08-16-2010, 06:47 PM

it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
every hole needs to be filled in somehow and quarterly scans are required.

now i have not verified this myself, but i'm guessing that its bogus.

BittieBucks Eric · 08-16-2010, 06:54 PM

Quote:

Originally Posted by NetHorse

Yeah, who knows...

I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though.

Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

CYF · 08-16-2010, 07:00 PM

Quote:

Originally Posted by myneid

it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss.
every hole needs to be filled in somehow and quarterly scans are required.

now i have not verified this myself, but i'm guessing that its bogus.

bogus? Why would you think that?

Ethersync · 08-16-2010, 07:04 PM

Quote:

Originally Posted by myneid

now i have not verified this myself, but i'm guessing that its bogus.

Are all these other exploits they found bogus too?

http://www.ariko-security.com/index-7.html

SwirlsGirl · 08-16-2010, 07:28 PM

Hell I am no programmer, but I can attest that it appears that if they are not guilty of any fraud them selves, then some one has hacked them and been able to do a lot of things that have caused many webmasters to question the integrity of the data.

Of course for the past year and a half all ccbill has done was assure everyone that what they were seeing (Bizarre to say the least stats anomalies) was their imagination, and have there schills come into gfy and attack anyone raising serious questions!

Even if this post is found to be true, the majority of the industry is so brain washed and gullible, they will not believe or care that they could have been getting the fuzzy end of the lolipop

CCBill Paul · 08-16-2010, 07:46 PM

We are and have been looking into this.

SwirlsGirl · 08-16-2010, 08:00 PM

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

Classic, but you would have others think I am just starting drama, tell me If this is found out to be true, will you come back in and apologize as an honorable person would?

I mean you guys at ccbill are so honorable, professional, and courteous. Something tells me not to hold my breath....

OH I KNOW.......................

ITS JUST A BUG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LOL

SwirlsGirl · 08-16-2010, 08:06 PM

Makes you start to wonder about some of those zero sales days really being zero sales days, especially when your back up processors are having sales flurries

BFT3K · 08-16-2010, 08:45 PM

mmcfadden · 08-16-2010, 08:47 PM

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

Lmk when all is good ;). Lol

NetHorse · 08-16-2010, 09:07 PM

Quote:

Originally Posted by BittieBucks Eric

Any idea how many bugs and vulnerabilities they'd create if they'd rebuild everything from the ground up?

Good point.

Not really sure what needs to be done, but something clearly needs addressing.

100s of affiliates/program owners have been creating thread after thread all with similar issues. Making a statement, "Everything is fine on our end" doesn't seem to be an amicable solution anymore.

Loki · 08-16-2010, 09:07 PM

only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

-Loki-

The Ghost · 08-16-2010, 09:21 PM

Thread bookmarked.

elitelist · 08-16-2010, 10:22 PM

Quote:

Originally Posted by Loki

only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications....

and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections)

I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd

-Loki-

Concatenated strings are not vocabulary.

I can also promise you that ccbill is owned beyond the owners.

rowan · 08-16-2010, 11:18 PM

CYF · 08-16-2010, 11:19 PM

Quote:

Originally Posted by rowan

I love that one

MrDeiz · 08-16-2010, 11:25 PM

Quote:

Originally Posted by CCBill Paul

We are and have been looking into this.

it doesn't make any sense = it's senseless

LeRoy · 08-16-2010, 11:30 PM

Sounds like there's a few issues to deal with this week.

ugh!

DWB · 08-17-2010, 02:19 AM

Quote:

Originally Posted by myneid

every hole needs to be filled

Beerbar · 08-17-2010, 09:01 AM

Anything more from CCBill?

NetHorse · 08-17-2010, 12:56 PM

If this is a real concern it should be forwarded to PCI. Request that a SAS 70 report be created.

Ethersync · 08-17-2010, 01:01 PM

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

closer · 08-17-2010, 01:23 PM

Any site can be hacked/cracked,

a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here.

In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors.

It's good to read that CCBill is looking into it and hope they'll update us with any news.

CYF · 08-17-2010, 04:03 PM

Quote:

Originally Posted by Ethersync

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

I think this is a separate issue.

CYF · 08-17-2010, 05:58 PM

bump for a serious issue.

Shap · 08-17-2010, 07:00 PM

Looking forward to hearing the reply.

cambaby · 08-17-2010, 07:10 PM

F.U.D.

Leave CCBill alone, NATS is shit

CYF · 08-17-2010, 07:11 PM

Quote:

Originally Posted by cambaby

F.U.D.

Leave CCBill alone, NATS is shit

So this isn't a serious vulnerability? How do you figure?

cambaby · 08-17-2010, 07:29 PM

Quote:

Originally Posted by CYF

So this isn't a serious vulnerability? How do you figure?

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

Shap · 08-17-2010, 07:32 PM

Quote:

Originally Posted by cambaby

F.U.D.

Leave CCBill alone, NATS is shit

How does this have anything to do with Nats? It's one thing to discredit the claim it's another to bring in another company that has nothing to do with this topic.

ladida · 08-17-2010, 07:35 PM

Quote:

Originally Posted by cambaby

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

ROFL. god you're clueless

cambaby · 08-17-2010, 07:49 PM

...and out come the people who get paid to bash CCBill

Shap · 08-17-2010, 07:55 PM

Quote:

Originally Posted by cambaby

...and out come the people who get paid to bash CCBill

LOL that really shows how clueless you are. How am I paid to bash Ccbill? I've used them for more than 10 years now.

CYF · 08-17-2010, 08:02 PM

Quote:

Originally Posted by cambaby

There is a huge difference between "vulnerability" and actual cases of hacking. Every piece of software is "vulnerable".

Most likely you have to get social hacked into giving up some piece of information and then be on a certain domain at a certain time located at x,y gps coordinates and standing on your head sipping a glass of red wine while flatulating to actually exploit shit.

that's pretty clueless dude

and no, I'm not paid to bash CCBill.

rowan · 08-17-2010, 08:24 PM

Quote:

Originally Posted by Ethersync

Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase.

:

CYF · 08-18-2010, 06:23 PM

Quote:

Originally Posted by rowan

This one looks like an SQL injection. See the cartoon I posted. Unbelievable that a multi-million dollar CC processing company would not sanitize input data to prevent what appears to be a relatively simple attack... especially on a non login required public knowledgebase.

:

NinjaSteve · 08-18-2010, 08:52 PM

Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"

CYF · 08-18-2010, 09:32 PM

Quote:

Originally Posted by NinjaSteve

Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!"

somehow I doubt it.

Kelli58 · 08-18-2010, 09:52 PM

So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?

The Porn Nerd · 08-18-2010, 10:23 PM

Quote:

Originally Posted by Kelli58

So bashing each other aside, did anyone from CCBill address the CCBill security issues yet?

That would be a "no".

08-16-2010, 06:10 PM	#2
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	It's possible to get all customers FULL personal details, server admins etc... Also is possible to read any file from ccbill.com and write to this server too. Pretty shitty vulnerability if you ask me. __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

08-16-2010, 06:17 PM	#4
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	serious stuff... # 30/07/2010 - Vendor notified. / no response # 03/08/2010 - Vendor notified. / no response # 10/08/2010 - Vendor notified. / no response does that mean that it hasn't been patched up yet? __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

08-16-2010, 06:19 PM	#6
NetHorse Confirmed User Industry Role: Join Date: Dec 2006 Location: Chicago Posts: 3,526	Yeah, who knows... I think a lot would agree that CCBILL needs to revamp EVERYTHING from the ground up. Especially considering they're the single biggest processor in adult. A lot of concerns have been brought up in the last 2-3 years, zero changes have happened though. __________________ ┌∩┐(◣_◢)┌∩┐ ICQ # 427013273

08-16-2010, 06:20 PM	#7
ladida Confirmed User Join Date: Nov 2005 Posts: 2,167	They had so many, they stopped caring __________________ agentGFY at gmail.com

08-16-2010, 06:33 PM	#9
BFT3K Too lazy to set a custom title Industry Role: Join Date: Dec 2005 Location: Narnia Posts: 10,764	I am not defending CCBill here, and hopefully they have read this post, and are immediately working to correct these issues. But I want to add, for whatever its worth, it appears EVERYTHING currently on the web is insecure nowadays - from major banks, to EVERY social network, to almost EVERY method of online processing, all the way up to Top Secret classified military documents! It really is the fucking wild wild west out here... Last edited by BFT3K; 08-16-2010 at 06:44 PM..

08-16-2010, 06:16 PM	#3
Ethersync Confirmed User Join Date: Mar 2008 Location: London, Saint-Tropez, Bermuda, Moscow Posts: 5,289	Jesus, that is one hell of an vulnerability.

08-16-2010, 06:24 PM	#8
DWB Registered User Industry Role: Join Date: Jul 2003 Location: Encrypted. Access denied. Posts: 31,779	In before the lock? Get on it CCbill.

08-16-2010, 06:37 PM	#10
TheSenator Too lazy to set a custom title Industry Role: Join Date: Feb 2003 Location: NJ Posts: 13,337	I bet this thread is gonna be locked down and thrown away. __________________ ISeekGirls.com since 2005

08-16-2010, 06:47 PM	#11
myneid Confirmed User Industry Role: Join Date: Jan 2003 Location: Los Angeles Posts: 736	it is very serious business for any service provider or merchant to have ANY vulnerabilities as per pci dss. every hole needs to be filled in somehow and quarterly scans are required. now i have not verified this myself, but i'm guessing that its bogus. __________________ Tanguy 0x7a69 inc. Programmer/President/CEO http://www.0x7a69.com A Leader in Programming since 1996 PHP, Ruby on Rails, MySQL, PCI DSS, and any Technical Consulting

08-16-2010, 07:28 PM	#15
SwirlsGirl So Fucking Banned Join Date: Feb 2006 Location: between east coast and vegas Posts: 2,067	Hell I am no programmer, but I can attest that it appears that if they are not guilty of any fraud them selves, then some one has hacked them and been able to do a lot of things that have caused many webmasters to question the integrity of the data. Of course for the past year and a half all ccbill has done was assure everyone that what they were seeing (Bizarre to say the least stats anomalies) was their imagination, and have there schills come into gfy and attack anyone raising serious questions! Even if this post is found to be true, the majority of the industry is so brain washed and gullible, they will not believe or care that they could have been getting the fuzzy end of the lolipop

08-16-2010, 07:46 PM	#16
CCBill Paul Confirmed User Industry Role: Join Date: Feb 2004 Location: Cardinal Nation Posts: 1,005	We are and have been looking into this. __________________ Paulk @ CCBill.com \| icq 248615940

08-16-2010, 08:06 PM	#18
SwirlsGirl So Fucking Banned Join Date: Feb 2006 Location: between east coast and vegas Posts: 2,067	Makes you start to wonder about some of those zero sales days really being zero sales days, especially when your back up processors are having sales flurries

08-16-2010, 08:45 PM	#19
BFT3K Too lazy to set a custom title Industry Role: Join Date: Dec 2005 Location: Narnia Posts: 10,764

08-16-2010, 09:07 PM	#22
Loki Confirmed User Industry Role: Join Date: Feb 2004 Location: Michigan Posts: 4,420	only thing I find odd is the 'proof' half a jpg screenshot with red underlines meaning "spelling errors" in most auto spellcheck applications.... and yet on the site that found the 'exploit' the bulk of their other finds have full text files as 'proof' (even with other msql exploit / injections) I did notice that CCBILL is aware of the issue, but I still find the 'proof' a bit odd -Loki-

08-16-2010, 09:21 PM	#23
The Ghost IslandDollars.com Join Date: Oct 2004 Location: Icq: 176176 Posts: 12,188	Thread bookmarked. __________________ ISLAND DOLLARS 1000's of Exclusive TS scenes / Constant Updates Best TS Network your surfers will ever join

08-16-2010, 11:18 PM	#25
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393

08-16-2010, 11:30 PM	#28
LeRoy Porn Pusher Industry Role: Join Date: Jul 2007 Location: It's a dry heat Posts: 13,344	Sounds like there's a few issues to deal with this week. ugh! __________________ JAPANESE CAMS AND CONTENT SITES Teams - leroy.rowland2 Telegram - @lroddd

08-17-2010, 09:01 AM	#30
Beerbar Confirmed User Industry Role: Join Date: Oct 2004 Posts: 145	Anything more from CCBill?

08-17-2010, 12:56 PM	#31
NetHorse Confirmed User Industry Role: Join Date: Dec 2006 Location: Chicago Posts: 3,526	If this is a real concern it should be forwarded to PCI. Request that a SAS 70 report be created. __________________ ┌∩┐(◣_◢)┌∩┐ ICQ # 427013273 Last edited by NetHorse; 08-17-2010 at 12:59 PM..

08-17-2010, 01:01 PM	#32
Ethersync Confirmed User Join Date: Mar 2008 Location: London, Saint-Tropez, Bermuda, Moscow Posts: 5,289	Not a new problem? From March 13th, 2009: http://blog.rstcenter.com/2009/03/13...-in-ccbillcom/

08-17-2010, 01:23 PM	#33
closer Confirmed User Industry Role: Join Date: Sep 2005 Location: ICQ :: 34739932 :: Les Pays-Bas Posts: 1,707	Any site can be hacked/cracked, a financial/banking site should be held up to much higher security standards, as this could potentially give yet another HUGE blow to the adult industry as a whole, which is already at its weakest point to date, if this becomes a CNN item, we're not talking facebook here. In the end, the only real opinion that should matter in such cases is how fast that hacked site fixes the backdoors. It's good to read that CCBill is looking into it and hope they'll update us with any news. __________________ HOT DOMAIN NAMES FOR SALE: EUROPEAN: MACHO.FR ⌘ KINKY.ES ⌘ SEXTOONS.CO.UK ⌘ DOT COMS: DJSEX.COM ⌘ FAQBOX.COM ⌘ WEBCAMSTV.COM ⌘ SEXTWEET.COM ⌘ PORNVOUCHER.COM ⌘ GAYBF.COM \| GAYBFF.COM ⌘ GAYSEXDATE.COM \| GAYSEXDATING.COM

08-17-2010, 05:58 PM	#35
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	bump for a serious issue. __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

08-17-2010, 07:00 PM	#36
Shap Confirmed User Industry Role: Join Date: May 2001 Posts: 8,313	Looking forward to hearing the reply.

08-17-2010, 07:10 PM	#37
cambaby So Fucking Banned Join Date: Feb 2003 Location: CR Posts: 3,141	F.U.D. Leave CCBill alone, NATS is shit

08-17-2010, 07:49 PM	#42
cambaby So Fucking Banned Join Date: Feb 2003 Location: CR Posts: 3,141	...and out come the people who get paid to bash CCBill

08-18-2010, 08:52 PM	#47
NinjaSteve Too lazy to set a custom title Industry Role: Join Date: Dec 2003 Posts: 11,089	Hopefully ccbill will finish looking into it and then come in and say "that shit is bananas!" __________________ ...

08-18-2010, 09:52 PM	#49
Kelli58 Confirmed User Industry Role: Join Date: Aug 2006 Location: Texas Posts: 2,142	So bashing each other aside, did anyone from CCBill address the CCBill security issues yet? __________________ Kandy AI 🍭🍬 Find yourself a sweet Internet girlfriend 🍭🍬