Jump to content

Credit card compromised after use at WHMCS?

malfunction

By malfunction
in Feedback

 Share

Recommended Posts

malfunction Senior Member

malfunction

Posted
Posted

Could just be advanced paranoia after so many WHMCS vulnerabilities, but has anyone else had their credit card compromised after using it with WHMCS recently? I have a company Visa card that has been used only three times this month (by me, that is) and never left my hand at any point:

 

Oct 10 - local gas station

Oct 17 - local supermarket

Oct 21 - WHMCS subscription renewal to be able get security updates

Oct 28 - bad guys start major shopping spree with my card number

 

Could all be coincidence of course, but it wouldn't be the first time my card number escaped from the custody of WHMCS and all the recent exploits would apply equally to WHMCS' own install as much as ours, wouldn't they...

0
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
  • Author
Posted

I ceased storing a credit card number in your system after the last time you lost control of my card number, so a database leak of some kind is not what I am suggesting. But perhaps something along the lines of a back door, modified gateway script that calls home with card numbers, that kind of thing - many clients of your have had malicious scripts uploaded to their sites due to WHMCS exploits, so that does seem feasible. Just looking to see if it's isolated to me, and therefore just a coincidence, or if others have have seen this too.

0
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
  • Author
Posted

SiteOx: yes, thanks, I know that goes on, not sure how that would get anybody the CVV code that would be needed to go on an internet shopping spree though.

 

MyEvolutionHost: my card was not attached to my WHMCS account, but I am suggesting that it wouldn't be all that difficult to modify the gateway script to send the card details somewhere else in addition to the gateway, if you had file access as recently occurred.

 

Could all be a coincidence of course, but fraudsters do tend to try and use card numbers while they are fresh. Plus, to be honest, who would you least trust with your card details, Chevron Corporation, Safeway Inc. or WHMCS Ltd. and their godawful security record?

0
Link to comment
Share on other sites
vec Senior Member

vec

Posted
Posted

ANd what do you know about Safeway/Chevron security... most are never reported... what you said is not far and is in fact stupid on your part...

 

SiteOx: yes, thanks, I know that goes on, not sure how that would get anybody the CVV code that would be needed to go on an internet shopping spree though.

 

MyEvolutionHost: my card was not attached to my WHMCS account, but I am suggesting that it wouldn't be all that difficult to modify the gateway script to send the card details somewhere else in addition to the gateway, if you had file access as recently occurred.

 

Could all be a coincidence of course, but fraudsters do tend to try and use card numbers while they are fresh. Plus, to be honest, who would you least trust with your card details, Chevron Corporation, Safeway Inc. or WHMCS Ltd. and their godawful security record?

0
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
  • Author
Posted
If you mistrust and hate them so much, why do you stay?

 

Hate is a bit of a strong word, but trust has to be earned, or be earned back after being lost in this case. Nobody, not even the illustrious Mr Pugh, can claim that WHMCS has anything other than a really poor security record, a multitude of published serious exploits, their own site compromised and so on - plus this wouldn't be the first time they lost their grip on my credit card number so suspicion is only natural. I call Fair Comment.

 

Why do I stay (apart from the fact that I've paid for this product, all the add ons, apps, mods, themes, custom work etc)? Because while life with WHMCS has just been one disappointment after another, a panic departure to the competition may be no better. I mean look at them:

 

1. HostBill - awesome product, but the company is run by a loony.

2. ClientExec - used that for six years and it had some designed-in structural problems that I couldn't get past. Watching closely for their new release though, and will be using my owned CE license to test as soon as practicable.

3. Blesta - worth keeping an eye on, but not ready for prime time, imo.

4. Parallels Business Automation - evaluating that, as WHMCS in bed with cPanel will only see the limited Plesk integration getting even worse, but it's pretty scary putting your business under the complete control of a Parallels product.

5. Ubersmith - too expensive, everything else is pretty much dead or still only half-written.

 

It took me over A MONTH of 16 hours a day, 7 day weeks to migrate my client base, card numbers, packages, domains and everything to WHMCS, so a hasty decision to leave for something that's also badly flawed is not something I'm prepared to take. However if I was to start a new brand or project I would 100% use something else. Anything else.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept