Local File Inclusion Vulnerability

How a Local File Inclusion Vulnerability led to the AdultFriendFinder Hack

Nov 21, 2016 By Paul Curran

For millions of users, and former users, of websites on the Friend Finder Network, the service built to bring them closer to their fantasies is turning into a nightmare. In what Wired is calling a “privacy catastrophe,” over 400 million accounts and deleted accounts, were breached on one of the world’s largest adult dating websites as the result of a Local File Inclusion vulnerability. AdultFriendFinder . com was acquired by Penthouse in 2007, which subsequently changed its name to Friend Finder Network. Under the Friend Finder Network exists numerous adult websites of which AdultFriendFinder . com is the largest. Combined, these websites contain over 412 million past and present users, all affected by the latest hack. Besides AdultFriendFinder . com, the Friend Finder Network includes numerous adult-oriented “hookup” websites which include Penthouse.com.

Adult Friend Finder Hack Background

In mid-2015 when the Ashley Madison hack by the self-styled vigilante group known as the “Impact Team” occurred, one would expect that any organization dealing with such sensitive topics as adultery would have had the intelligence, and foresight, to ensure that their applications and sensitive user data were as secure as possible. Unfortunately, this was not the case.

local file inclusion vulnerability

Web sites included in the Friend Finder Network affected by the hack. Source: www.leakedsource.com/

Prior to the July 2015 Ashley Madison hack, the Friend Finder Network had an additional wakeup call to their insufficient state of security when over 3 million active users had some personal details leaked. This data included their sexual preference – something not leaked in this current hack.

 

Unlike financially motivated hacks, these highly personal data breaches can wreak havoc whose damage cannot be undone with an updated password. The amount of personal details leaked here (including, among other things, passwords, last login, and email address) can tear families apart, jeopardize jobs and even worse.

 

The professional nature of many of the email addresses found in the Ashley Madison hack (.gov, .mil, etc.) should have served as a wakeup call for users engaging in this behavior, however with the professional emails contained in this breach seems to show that people are still using work accounts for questionable activity.

local file inclusion

Evidence of professional email accounts contained within the Friend Finder user database. Source: Twitter User/security researcher real_1x0123

15 Million Deleted Accounts?

Additionally, LeakedSource.com noted that a number of the emails had certain characteristics that could indicate that they were from users who may have attempted to delete their accounts:

“While perusing the data we noticed that a significant amount of users had an email in the format of: email@address.com@deleted1.com. Uh-oh.

We’ve seen this situation many times before and it likely means these were users who tried to delete their account but the data is obviously still kept around because you know, we’re looking at it. According to a reporter it is impossible to register an account using an email that’s formatted this way which means the addition of “@deleted.com” was done behind the scenes by Adult Friend Finder. So counting the amount of emails with “@deleted” near the end, we have 15,766,727 “deleted” accounts in AdultFriendFinder . com.”

 

Large Data Leaks by Numbers:

2014  Yahoo – 500 million

2016 Adult Friend Finder – 412 million

2013 MySpace – 359 million

2015 Ashley Madison – 33 million

 

The Local File Inclusion Vulnerability Behind the Hack:

The exploited vulnerability that led to the disastrous breach, and subsequent consequences, of this massive hack is a Local File Inclusion (LFI).

Local File Inclusions, when exploited, allow attackers to execute arbitrary code by influencing the library which is dynamically loaded on the server. Any software library loaded on the server, such as file upload feature, can be included in the attack which can allow the malicious party to control the code run by the application or even enable complete server takeover. In this case, the hacker was able to include files located in a different part of the server in the output of an application.

Local File Inclusions were listed as the second most recorded web application attack vector in Akamai’s Q3 2016 State of the Internet / Security Report behind SQL injections (SQLi).

 

How Could this Hack have been Prevented?

When it comes to protecting against Local File Inclusion vulnerabilities, do not dynamically load code libraries, especially not based on user input.

Additionally, it is necessary to use untrusted data to select the library to be loaded, verify the input matches a predefined set of whitelisted library names. Alternatively, use the input as an identifier to select from the whitelisted libraries.

Further reading: OWASP PHP File Inclusion

Insufficient Encryption

While it’s clear that it was a Local File Inclusion that allowed malicious parties to access the private user details of millions of users, there is a second security flaw that adds another risk to this already devastating hack: insufficient encryption.

Anyone who was able to access the excel sheets containing the leaked data is able to see that the “user name” column contains encrypted passwords. The encryption method employed to keep prying eyes away from the plain text versions, however, is Secure Hash algorithm 1 (SHA-1) which back in 2005 was deemed by cryptanalysts too insecure for ongoing use.

Further Reading: All About Encryption: Security, News and a Brief History

 

Securing Your PHP Code

Using BuiltWith.com, it’s easy to see that this LFI would have been contained within the PHP code used to power Adult Friend Finder. As over a quarter of all websites on the internet are built using PHP it’s critical to use an application security testing solution in order to ensure that vulnerabilities do not make it to production.

Local File Inclusion Vulnerability

Image Source: BuiltWith.com

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst PHP testing solutions as not only the solution which will keep your PHP code free from both security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

 

jumping 1

Read more about PHP security vulnerabilities and a full language overview here.

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.