PAYBACK India’s largest loyalty program, seems to be facing a serious vulnerability in its website database which is prone to hack attack. Indian group zSecure Team has warned Payback about this critical SQL Injection Vulnerability on their website database which if exploited by a hacker or attacker could gain access to the portal’s complete database. PAYBACK, it’s a loyalty program using one single card, members earn loyalty points when they shop at a wide range of different merchants and brands – offline and online.
Even after notifying the company about the said vulnerability immediately on it’s discovery by the team, the company has not taken any action to fix this vulnerability even after 2months have passed. If a hacker does get access to this vulnerability he can misuse to alter the database tables/data or may further result in the complete database dump. zSecure Team has released a sample database dump on their blog of Payback website containing highly sensitive personal information on its member’s. The team has accessed the database only to take screen-shots so that they can make company believe that the aforesaid flaw actually exist on the website.
It seems big tech companies are just neglecting the basic security to protect its data, even after getting reported about this vulnerability Payback has not taken any action to resolve it. Earlier also zSecure Team has found database vulnerability on HDFC Bank and Timesofmoney website. Hopefully by this exposure from the zSecure group, Payback would fix these vulnerabilities in time and also implement more security measures on their websites, to prevent any future hacking attacks.