I just want to share what i have discovered. I can purchase any product I want for any amount i specify. For example, I can even buy a Macbook Pro for just ₹10, or a 36` LCD HD TV for just for ₹2. I am not kidding at all. I have tested it with many shopping sites and most of them are having this breach.
Affected Sites :
- Rediff Shopping – Breach present, but manual bank transaction checks present
- Flipkart (Payzippy)
- Infibeam (CC Avenue)
- Lenskart (CC Avenue)
- Watchkart (CC Avenue)
- GoDaddy India (CC Avenue)
Non affected sites, Following are secure :
- Groupon (PayU)
- Jabong (PayU)
- ShopClues (BillDesk)
In short to summarize ALL the websites using the PayZippy and CC Avenue payment gateway are prone to this security breach.
Bug Details :-
[#] Title: Purchase any product for any amount.
[#] Affected Payment Gateways : PayZippy, CC Avenue
[#] Status: Payzippy : Fixed | CC Avenue : Fixed
[#] Severity : HIGH, FATAL
[#] Browser: Any Browser
[#] Report date : 11/10/2014
[#] Author: Rahul Vijay Manekari
[#] Email: email@example.com
– Almost 80% of reputed Indian based e-commerce websites are using PayZippy or CC Avenue Payment Gateway. Any of the product from any affected websites can be purchased with as low as ₹2.
I want the higher authority from the above non-secure sites to contact me via my email : firstname.lastname@example.org.
I would like to have a personal meeting which will be the best way to convey my message.
I am not taking advantage of it, neither I’m sharing this bug to anyone. I am just saying that the bug is present right there and i am ready to help you guys.
But please, don’t contact me if you are a support guy or a technical department who handles social media support.
PS : Neither I am a professional hacker, nor i know much about security. I am a software product developer and i know how to secure my product. This was just the random tests which i was doing with other sites. I have no intention to break down any security barricades.
UPDATE 13/10/2014 : Flipkart has contacted and i have provided the details. They are working on resolving this issue.
UPDATE 17/10/2014 : CC Avenue has replied and they are working on the fix as well.
UPDATE 18/10/2014 : Bug has been resolved from PayZippy. Flipkart and other merchants using PayZippy Payment Gateway are secure now.
UPDATE 21/10/2014 : It has been resolved in CC Avenue as well.
Rahul Vijay Manekari.