CCAvenue.com is a Commerce Service Provider, authorized as a Master Merchant, by Indian financial institutions, to appoint Sub Merchants, to accept and validate Internet payments via Credit Card, and Net banking facilities from the end-customers in real-time. Its one of the leading payment gateway of South East Asia. Today, CCAvenue.com got hacked by a hacker with code name d3hydr8 by exploiting SQL injection vulnerability in the website. The database was identified as MSSQL. Storing passwords in plain text in the database was a bad strategy followed by CCAvenue.
The Hacker News

Vishwas Patel, CEO of CCAvenue, replied on the incident calling it a mischievous slander against their name in an interview to Medianama. The hacker had disclosed the Apache version of the server of the site to be Apache/2.2.14 in his disclosure on seclist. Where as Patel adds that that server version was updated from 2.2.14 to 2.2.17 5 months back. A netcraft screen shot below indicates that the upgrade to Apache 2.2.17 for CCAvenue took place today:
The Hacker News

"There is obviously some mischief somewhere, which we are investigating. Whatever is stored in our database is in an encrypted format, not in text format. This is not of the real live database schema, and we are investigating and give you much more (information). We don't have the same database schema" he adds. Instead of hiding away the loopholes in the security of the site, its better they should learn something from this data breach so that in future they shouldn't be coming up with such excuses. An investigation should be carried out on this issue. The incident has been reported to CERT India to help CCAvenue take right steps in order to secure their database before it gets leak in the open.

Source

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.