In October 2016, Adult Dating site “AdultFriendFinder” becamevictim of one of the largest personal data breaches ever recorded, with morethan 412 million accounts details being exposed. The details which had beenleaked included the customers emails, passwords, membership status, date ofvisits, information of the browsers they were using and even their IP addressesused for access. Adult friend finder also has ownership of other sites such as adultsites, Cams.com and Penthouse.com which also suffered from the attack, losingaround 70 million account details between them.
One of the more surprisingfinds by the hackers was that they found almost 16 million “deleted” accountsthat were never actually purged from the company’s data. Along with theseaccounts, there were files taken containing employee names, their home IPaddresses and even VPN keys used to access the company’s servers remotely. Many of these hacked customer account detailswere soon made available to purchase on criminal marketplaces. This was not the first time Adult Friend Finder had been hacked.
Back in May 2015, the personal data of around 4 million users was left exposedwith details regarding not only their personal details, but their sexualpreferences along with other sensitive personal information. This attack wasperformed by a hacker going by the name “RORRG” who’s motivation was tocollect revenge money which was owed to “his guy”. Along with this and afurther ransom demand, the attacks ended in a total financial loss of around$350,000 (~£230.000) for Adult Friend Finder along with much public scrutinyregarding their online security policies. Security experts have since been verycritical of the site’s lack of care for public security and not doing enough toprevent another breach.After being victim of a successful attack and costly attackin the past, it was surprising that the passwords which were stored in AdultFriend Finder’s databases were either displayed in plain text format or werehashed with SHA-1, which were cracked very quickly with minimal effort.
This isterrible practice for a company which is constantly dealing with so manypeoples sensitive data on a daily basis, especially considering they had beenhacked the previous year. SHA-1 (SecureHash Algorithm 1) is a cryptic hash function which was first implemented in1995 and has been known to be vulnerable attack for the last 10 years. Due toits obvious flaws and there being a number of more reliable successor hashalgorithms introduced, The U.
S. National Institute of Standards and Technologybanned the use of SHA-1 by U.S federal agencies in 2010 and digital certificateauthorities have not been allowed to issue SHA-1 signed certificates sinceJanuary 2016. This shows an extreme lack of care from AdultFriendFinder andsimple laziness on their security front. Who is responsible?Diana Ballou, the vice president of the Friend FindersNetworks received “a number of reports that there were securityvulnerabilities” and followed up to explain “While a number of these claimsproved to be false extortion attempts, we did identify and fix a vulnerabilitythat was related to the ability to access source code through an injectionvulnerability” (ZDnet, 2016).
This information from Diana shows some obviousflaws in the way the companies servers were being run. This was first broughtto light by a researcher who goes by the alias “1×0123” or “Revolver”. Not longbefore the attack, Revolver posted screenshots taken on Adult Friend Finder,displaying a Local File Inclusion Vulnerability being triggered. A Local File Inclusion(LFI) would allow an attacker to use files which were stored somewhere else onthe server to be included the output of an application. This eventually allowan attacker to remotely run malicious code on the web server. Revolver wentonto explain that the vulnerability was found in a module on the productionservers used by Adult Friend Finder.A second notorious hacker going by the alias “Peace” alsoadmitted that he had breached Adult Friend Finder, and had already passed onsome of the information he had gathered, onto a further group of hackers. Afterspeaking out to Motherboard Vice “Peace said he had taken advantage of abackdoor that was publicised on Hell (Hacking Forum) two years ago, and said heused it last week to download a database of 73 million users” (LorenzoFransceschi-Bicchierai, 2016).
The fact that Peace was allowed to use anexploit which was found and used over 2 years ago on a similar site, shows howeasy it was for someone to obtain the information needed to gain access to the company’sservers and furthermore, just how out of touch Adult Friend Finders securitywas to allow for a second attack like this. Peace followed up to agree with theclaims made by Revolver, that his attack was also via a Local File Inclusion. How was it done?The breach performed in October 2016 was a Local FileInclusion (LFI) attack, something that was confirmed by two hackers who bothclaimed to have infiltrated the site, and later confirmed by Adult FriendFinder themselves. A LFI can be a common vulnerability in poorly written webapplications and can lead to granting a hacker access into a website and readfile from the system. Munin, a defensive security consultant explains “Such aflaw can let hackers do “all kinds of things” including accessing any parts ofthe server, running code on it, and even theoretically spying on users’activities” (Munin, 2016). Having such a vulnerability as this, giving completeaccess and surveillance to an attacker, can allow an attacker to essentiallytake control of the web server. More importantly though, it can be very hard tobecome aware of any breaches if the attacker is simply just monitoring activityrather than acting maliciously upon the attack. This is even more serious on anetwork such as Adult Friend Finder which are constantly inputting andmodifying people’s private details and credentials.
The basis of the attack is in which an attacker tricks theweb application into including files on the web server by exploitingfunctionality that dynamically includes local files or scripts (Muscat, 2017). Asuccessful LFI attack like this can then lead to Remote Code Execution (RCE),which can then lead to a Code Execution Attack; allowing an attacker to runcommands on that system. These commands are often used to elevate the attackerprivileges on the system, granting them free roam of the system andfurthermore, the internal network.
Local File Inclusions were listed as thesecond most recorded web application attack vector in Akamai’s “Q3 2016 Stateof the Internet / Security Report” behind SQL injections (SQLi)(Curran, 2016).The first thing an attacker must do when performing anattack through an LFI vulnerability is to assess and identify anyvulnerabilities which they can exploit. LFI attacks primarily take advantage ofweb applications written in the PHP programming language. Since PHP is used byaround 75% of all websites today, this attack has become very common attargeting poorly written web applications. Any script found that includes afile from a web server is a good candidate for further testing. For example(see Figure 1)Figure1 ((Vulnerable PHP script, 2015) An attacker wouldthen attempt to exploit this by manipulating the files location parameter. Oncean LFI injection point has been found, the attacker would then use it to gatheras much data as they can about the system.
This can be done very easily using alist of commands to read certain files locations such /etc/passwd or/etc/shadow etc. The following is an example of some attempted to exploit avulnerability by manipulating the file location parameter (see Figure 2). Thisshows an attempt to display the contents of the /etc/passwd file on the system.Figure2 (Manipulating the File Location Parameter, 2015)Shown below are the results of a successful exploitation on a web application(see Figure 3) Once the attacker hasgained access and knowledge of the system, the attacker will then proceed toupload a file upload script into the /tmp of the system and then using the fileupload, they can then add additional files to the system.
By the attackermanaging to get their malicious code onto a web page, it is possible then toconvince a PHP script to then include a remote file instead to using a presumablytrusted file from the local file system. If successful in including “External”files on the victim’s web page, they can then execute commands as they wish onthe victim’s web server. Shown below (see Figure 4) is an example in PHP of avulnerability to LFI. The PHP script executes on the server side at runtime. Itshows how in a matter of exploiting two lines of code, the attacker can trickthe application into taking a file, and executing the file, allowing them toupload as they wish to the web server. From this point attackers are likely to createor upload a script such as a “Web Shell”.
A web shell is a script which can beuploaded to the web server allowing for remote administration of the machine.This is can sometimes lead to the attacker gaining access to internal networkand gain access to other internal hosts. It is these web shells which allowhackers to harvest sensitive data and credentials. This is likely to have beensomething which would have happened the Adult Friend Finder case, allowing theattackers to gain access to multiple web servers and databases from manydifferent sites. Figure4 (PHP Vulnerability to Local File Inclusion(LFI), 2016) Shown here (see Figure 5) is an example of file an attackermay upload, which will be ran as the user running the web application, allowingthe attack to run any code as they wish. Figure5 (Example of Attacker file upload, 2016) How to prevent LFI attacks?There are many things that a company can and should do toprevent being hit by a LFI attack and it all comes from eliminating any LFIvulnerabilities. This starts by securing the PHP code of the website and notallowing any opening for attackers.
It is critical for companies who areoperating on these sites to use an application security testing software alongwith using competent web coders to create and maintain the site to provide on-goingsecurity. The security testing software is a solution which will scan andidentify any known code vulnerabilities along with addressing any industrycompliance regulations, something which was lacking in all area by Adult FriendFinder. It is important to perform these tests often with updated software asattackers are constantly finding new exploits in order to gain access. ConclusionThe fact that the Adult Friend Finder network lost over 412million accounts worth of details, just a year after being breached in asimilar manner, shows an inexcusable amount of care for the customers privatedetails and credentials. The company had made little to no improvements totheir security in regard to both their web servers, as well as the encryptionof the data which was stored on their databases. The company not only usedinsufficient encryption which was outdated by many years, but even had some ofthe employees and user’s information in plain text format. This attack has gonedown as one of the biggest data breaches to date and has set an example toother large web base companies to the importance of their security policies andinfrastructure.
Locating and taking advantage of an LFI vulnerability hasbecome so easy and available to everyone, since the software required can beacquired online along with a numerous amount of in depth tutorials showing stepby step instructions of how to perform and carry out such an attack. This isone of the reasons for this kind of attack quickly becoming one of the mostpopular attacks carried out in todays online society. With so much informationbeing available to the public about how to carry out these attacks, it would beassumed that companies would be investing as heavy in security and preventingthese attacks happening on themselves.