How I found a Critical Vulnerability on Popular Payment Gateway: CCAvenue

Hello Everyone,

I am Surya, a passionate cybersecurity researcher and a Security Analyst.

I didn’t mean to publish this blog at this time but due to the critical nature of the vulnerability and the vendor’s lack of response made me to do so 😕.

Back Story

I had found a vulnerability in CCAvenue and I shared some vulnerable endpoints to CCAvenue Service Team over email but they haven’t replied to that mail nor they tried to contacted me.

So I thought of including Senior Members of CCAvenue’s and also their clients like Mercedes-Benz. After sharing the report, I did get a reply but not from CCAvenue but from Mercedes-Benz Security Team that My bug is valid and they will deploy the fix as soon as possible.

Acknowledgement I got from Mercedes-Benz

I had only included one vulnerable endpoint in that report because I included Mercedes-Benz.

So After this, A Senior Person of CCAvenue contacted me over phone and mailed me to discuss the Vulnerability to them and then I shared the report with him including all the vulnerable endpoints that I found.

Email that I sent to the Senior Person of CCAvenue

Some days after that they offered me a job, that I was interested in but the pay doesn’t meet my expectation.
I was in touch with him over Whatsapp. So After two months of my submition I had mailed them to get the status of the Vulnerability but they haven’t replied to that mail. Then I messaged him over whatsapp and he said they were very busy so it was gone on backstage for these two months 😧

Before, posting this blog I had messaged them on whatsapp about the Google Project Zero 90 days deadline and asked how they want to proceed but they haven’t replied to it yet.

Now, I will be writing, what vulnerability I found and will not disclose any sensitive information about the endpoints.

Let’s Get Started ….

Before that, we have to know what Project Zero is..

According to Wikipedia,

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released[2] or if 90 days have passed without a patch being released.[7] The 90-day-deadline is Google’s way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks.[7] There have been cases where the vendor does not produce any solution for the discovered flaws within 90 days, before the public disclosure by the team, increasing the risk to already-vulnerable users.[8]

So It’s been more than 90 days of me submitting the vulnerability and I had told them that I have the right to do so.

Honestly , I didn’t mean to test their website but I have to, because I am a follower of very popular Guru in India and I want to buy something from their E-commerce website but I didn’t have the money to buy that time so I thought why not test their website, as a passionate cybersecurity researcher I was curious about bypassing their payment flow and I did bypassed that but I had let them know about the vulnerability and also about me taking the subscription that I needed and they fixed that, below is the proof that I told them about the vulnerability and ...

Mail That I had sent.

So, While doing the payment I observed that their website is using CCAvenue’s payment gateway, so to do the payment I need to check the payment gateway.

I won’t reveal, how I found but this is what I found.

After doing enumeration about, may be 2 to 3 days I have found a URL that was really suspicious to me that leads to other several suspicious URL, they are maybe near about 100 URLs that I have now that are vulnerable.

So, After trying to create a request body, I found that some of those endpoints are used to get the transaction details and used by their clients to verify if the transaction was successful or failed or other sensitive transaction data.

I found out that the endpoints takes a parameter called transactionid and then they return the transaction data of that Id, so I tried to search for a valid transaction Id but I didn’t have any so you know What I did 😅.

And after some days I found a valid transaction Id and all the transaction data that has PII data of the customers and bank reference etc.. and also found out that there was IDOR in that as well 😃.

The next reaction of mine was to report that Vulnerability to the vendor but I also had some endpoints that was suspicious for updating the transaction details. So I checked for those as well and found out that I can modify the transactions as well and any field on the Transaction like I can change a Failed transaction To Successful.

Below are the proofs:

The below endpoints are used to get the transaction details through transaction ID.

Fig 1.1: Endpoint used to get the transaction detials.

Fig 1.2: There was lot more data than this only.

Transaction Modification Proofs

I had reverted back the changes that I did for the POC.

From the fig 1.1 observe the
order_status : Success and status_message: “Transaction is successful”.
I had tried to change them and here is the result.

Fig 2.1 : Observe the order_status and status_message fields.

So after finding these, I immediately report the vulnerability and it’s been more than 90 days and it is still pending to be fixed.

Thank you for reading this blog.

Share this so that it will reach to them and they’ll take necessary action to resolve this bug as soon as possible.
Like and follow for more 😃.

Linkedin: Surya Mathur