PAYBACK is India’s largest loyalty program. It presents many advantages over traditional, stand-alone customer loyalty schemes restricted to one brand or company only. The power of PAYBACK stems from pooling loyalty benefits from many attractive partners: Using one single card, members earn loyalty points when they shop at a wide range of different merchants and brands – offline and online.
The combination of rapid accumulation of points and their easy redemption for desirable rewards makes PAYBACK so attractive. Other benefits include discounts on purchases through points earned or through coupons and exclusive special offers. Shoppers love these unrivalled features, because they simply get more value for every Rupee spent.
A critical Blind SQL Injection vulnerability has been discovered in Payback web portal a long time back and we notified the company about the said vulnerability immediately on it’s discovery. But unfortunately, even after more than 2 months of our reporting the company has not taken any action to fix this vulnerability & neither we heard any response back from the company. Using this vulnerability, a malicious attacker can gain full access to the portal’s databases (as shown in the below screen-shots) which can later be misused to alter the database tables/data or may further result in the complete database dump. Vulnerable URL:
Proof Of Concept
- 04-Jan-2012: Vulnerability discovered & reported to the company.
- 12-Feb-2012: Reminder sent to the company.
- 21-May-2012: Public Disclosure. No response received from the company & vulnerability found to be unfixed.
- 27-Apr-2016: Vulnerability appears to be fixed now. It took company more than 4 years to fix this issue.
Status Updated: 27-Apr-2016
No data has been dumped. Database has been accessed only to take screen-shots so that we can make company believe that the aforesaid flaw actually exist. The reason because most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.
We respect the confidentiality of the company so we restricted the contents of our screen-shots to some general database contents only. We hope that after this public disclosure, company will take some immediate steps to fix-up this critical vulnerability.