A Story of payment gateway bypass in Rozee.pk

Companies do not pay attention to online systems, they sometimes don’t even know that their services are being compromised by hackers and hackers are enjoying the fruit on back end. This is the most common threat now a days & it can become a nightmare for a company.

Myself, M.Hassan Khan Yusufzai is Cyber Security Researcher from Lahore, Pakistan. I have been working to overcome the cyber space in Pakistan & to secure there online existence. I have found vulnerabilities in famous websites like Twitter, Microsoft, Ebay, Indeed, Magento and many others. This blog is just to spread awareness for the developers of Pakistan. We think we are secure but actually “Nothing is secure”.

First let me make your familiar with rozee.pk.

ROZEE.PK is Pakistan’s number one online job portal site which connects talent with opportunity. ROZEE.PK provides services to the job seekers and employers by providing them one platform for job searching and hiring, respectively.

Few days back,i joined the the awesome platform of rozee.pk. whenever, I join new platform first i look which services they are providing. So I found some premium services and features in rozee, which are in my opinion are just awesome. Below are services that rozee is providing.

So while exploring and using the platform, as a mind of Hacker I thought why not to test the application? I started looking for vulnerabilities in rozee and guess what happend? I managed to found a flaw in rozee payment gate way. I was able to create invoice of ROZEE premium just in 1.00 Rs. I just grabbed my credit card and paid 1.00 with it. After paying i got email that ROZEE premium is activated. i was like LOL?

I contacted the CEO of Rozee and explained about the vulnerability. His response was really amazing. CEO instantly contacted the developers of Rozee. Developers traced out the vulnerability very quickly. Within a few minuets they identified the vulnerability & also made local fix.

CEO: Thanks developers have identified and fixed locally .

CEO: greatly appreciated

He really liked my ethical approach for reporting vulnerability. After 2 hours developers deployed a patched and issue was fixed. I re-tested the issue & it was nicely patched. After Fix CEO awarded me with the bounty as a token of appreciation.

Note:

I wrote this blog just to aware the local brands and companies of Pakistan that how they are vulnerable to major security flaws. This is not the first time that I have reported vulnerability to Pakistani site but the difference is some of them takes security seriously and some are not. My job was to highlight the vulnerability and that’s what I did!

Conclusion:

[+] Pentest your system

[+] Code Audit is must

[+] Hire experienced Cyber Security consultants

[+] Support Team for communication

Let me know if you need Assessments of your application.