Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: [SOLVED] Security Hole - Need Assistance. Urgent Please.

[SOLVED] Security Hole - Need Assistance. Urgent Please. 13 years 3 months ago #14162

  • Bruce
  • Bruce's Avatar
  • Offline
  • Junior Boarder
  • Junior Boarder
  • Posts: 33
  • Thank you received: 0

gswahhab wrote: I'm not sure if this is the case or not. Someone had mentioned that the api id / transaction keys were compromised. You may want to reset your transaction key if you haven't already.

I don't know if this is what actually was compromised or not.

Already reset the key. the transaction id looked like it came from DTdonate. I doubt they got my credentials. They are using DTdonate sites to find valid credit cards.

Please Log in or Create an account to join the conversation.

[SOLVED] Security Hole - Need Assistance. Urgent Please. 13 years 3 months ago #14176

  • nhatfield
  • nhatfield's Avatar
  • Offline
  • Fresh Boarder
  • Fresh Boarder
  • Posts: 2
  • Thank you received: 0

Bruce wrote:

gswahhab wrote: I'm not sure if this is the case or not. Someone had mentioned that the api id / transaction keys were compromised. You may want to reset your transaction key if you haven't already.

I don't know if this is what actually was compromised or not.

Already reset the key. the transaction id looked like it came from DTdonate. I doubt they got my credentials. They are using DTdonate sites to find valid credit cards.


I can confirm this as we are having the same issue.

Upon investigation, it seems that the CAPTCHA is only checked client side, not server side, via the donation form. Using a custom page to post data directly to the processing page bypasses the CAPTCHA entirely.

I've had to shut down our donation page, as blocking the IP is a game of cat and mouse. They'll just change to a new proxy.

Please Log in or Create an account to join the conversation.

[SOLVED] Security Hole - Need Assistance. Urgent Please. 13 years 2 months ago #14790

  • thepiston
  • thepiston's Avatar
  • Offline
  • Expert Boarder
  • Expert Boarder
  • Posts: 151
  • Thank you received: 0

dthadmin wrote: Guys... sorry this thread wasn't replied to before, but this issue has already been addressed. Upgrade to 2.2.4 and you'll find this can't happen anymore. Also, the IP address is now captured also. Notification of this update went out on email and also has been posted here in the forum (announcements category).

you sure this is fixed? we have like 20 $1 charges all of the sudden using 2.2.4. I also see no failed attempts in the donation records log

Please Log in or Create an account to join the conversation.

[SOLVED] Security Hole - Need Assistance. Urgent Please. 13 years 2 months ago #14792

  • thepiston
  • thepiston's Avatar
  • Offline
  • Expert Boarder
  • Expert Boarder
  • Posts: 151
  • Thank you received: 0
to be fair I was not using captcha though

Please Log in or Create an account to join the conversation.

[SOLVED] Security Hole - Need Assistance. Urgent Please. 13 years 2 months ago #14793

  • Bruce
  • Bruce's Avatar
  • Offline
  • Junior Boarder
  • Junior Boarder
  • Posts: 33
  • Thank you received: 0
I have been hit on 2 sites. They seem to be entering it manually with about 2 minutes between transactions. I blocked ip addresses to no avail. What seems to work is to have the bank require address, name and CCV validation and tighten up on the same checking from authorize.net,

The biggest impact we are now seeing is a daily settlement for zero transactions and zero dollars. I suggest you keep your eyes opened for any bogus transaction which processed. I had one a few weeks ago which processes for $100. I was able to void it immediately, but the woman must have been very tight.We had 10 about calls asking about the transaction. Chase finally reversed it.

Please Log in or Create an account to join the conversation.

  • Page:
  • 1
  • 2
Time to create page: 0.227 seconds