You are here

Payback.in vulnerable to SQL injection attacks

Submitted by Karthik on 21 May, 2012 - 16:17

ZSecure, a security consulting company which made a few ripples last year when it announced vulnerabilities detected on HDFC's website, has made a similar discovery, this time with payback.in. Payback is a firm providing loyalty (reward points) programs for customers, in partnership with a number of well known brands.

ZSecure has provided a vulnerability report which mentions that the site is open to SQL injection attacks corroborating the claim with screenshots of the database. It goes on to state that Payback has not responded to a notice for two months and that the vulnerability is yet to be patched.

Oddly enough, while ZSecure has been careful to protect the phone and card numbers of Payback users in one of the screenshots, it has chosen to not take the same care with their names and e-mail addresses.