I looked at the code. The web page on which you enter your CCBILL password is hosted on the sponsor's site (trust level unknown) and in many cases the form submit passes to CCBILL unsecured (not https).
With active JS, burying a keylogger in the login page by a fake sponsor, is not impossible.
Or, your login info could just be sent directly to the password thief.
This is 2020, and all affiliate signup forms/processing should be done on CCBILL's servers. This is not a profoundly new concept.
When you pay for something with PayPal, you do not enter your PayPal login info on the merchant site. You are directed to the PayPal site where you log in, make your payment, and then are redirected back to the merchant. That is what buyers are expecting.
CCBILL should use a similar system.
The idea of having to check the source code of a webmaster login page, instead of relying on digital certificate security (you know when you are on a trusted processor's site - lots of visual bells and whistles), is so 90's.
Aside from the outdated security model, the idea of having affiliate revenues merged and guaranteed to be paid by CCBILL is a good thing.
-Dino
Quote:
Originally Posted by AmeliaG
The signup form part goes to CCBill, not the program. In my experience, the program gets your name, email, and site type info, but not your password or master account number. When you sign up, you choose whether or not to share your mailing address info with the sponsor program.
|