Attention all the e-commerce website owners

I just want to share what i have discovered. I can purchase any product I want for any amount i specify. For example, I can even buy a Macbook Pro for just ₹10, or a 36` LCD HD TV for just for ₹2. I am not kidding at all. I have tested it with many shopping sites and most of them are having this breach.

Affected Sites :

  • Rediff Shopping – Breach present, but manual bank transaction checks present
  • Flipkart (Payzippy)
  • Infibeam (CC Avenue)
  • Lenskart (CC Avenue)
  • Watchkart (CC Avenue)
  • GoDaddy India (CC Avenue)

Non affected sites, Following are secure :

  • Amazon
  • Freecharge
  • Groupon (PayU)
  • IRCTC
  • Myntra
  • Snapdeal
  • eBay
  • Jabong (PayU)
  • ShopClues (BillDesk)

In short to summarize ALL the websites using the PayZippy and CC Avenue payment gateway are prone to this security breach.

Bug Details :-

[#] Title: Purchase any product for any amount.
[#] Affected Payment Gateways : PayZippy, CC Avenue
[#] Status: Payzippy : Fixed | CC Avenue : Fixed
[#] Severity : HIGH, FATAL
[#] Browser: Any Browser
[#] Report date : 11/10/2014
[#] Author: Rahul Vijay Manekari
[#] Email: manekari@outlook.com

Impact :-

– Almost 80% of reputed Indian based e-commerce websites are using PayZippy or CC Avenue Payment Gateway. Any of the product from any affected websites can be purchased with as low as ₹2.

I want the higher authority from the above non-secure sites to contact me via my email : manekari@outlook.com.

I would like to have a personal meeting which will be the best way to convey my message.

I am not taking advantage of it, neither I’m sharing this bug to anyone. I am just saying that the bug is present right there and i am ready to help you guys.

But please, don’t contact me if you are a support guy or a technical department who handles social media support.

PS : Neither I am a professional hacker, nor i know much about security. I am a software product developer and i know how to secure my product. This was just the random tests which i was doing with other sites. I have no intention to break down any security barricades.

UPDATE 13/10/2014 : Flipkart has contacted and i have provided the details. They are working on resolving this issue.

UPDATE 17/10/2014 : CC Avenue has replied and they are working on the fix as well.

UPDATE 18/10/2014 : Bug has been resolved from PayZippy. Flipkart and other merchants using PayZippy Payment Gateway are secure now.

UPDATE 21/10/2014 : It has been resolved in CC Avenue as well.

Thank you.
Regards,
Rahul Vijay Manekari.

Leave a Reply

Your email address will not be published. Required fields are marked *