For millions of users, and former users, of websites on the Friend Finder Network, the service built to bring them closer to their fantasies is turning into a nightmare. In what Wired is calling a “privacy catastrophe,” over 400 million accounts and deleted accounts, were breached on one of the world’s largest adult dating websites as the result of a Local File Inclusion vulnerability. AdultFriendFinder . com was acquired by Penthouse in 2007, which subsequently changed its name to Friend Finder Network. Under the Friend Finder Network exists numerous adult websites of which AdultFriendFinder . com is the largest. Combined, these websites contain over 412 million past and present users, all affected by the latest hack. Besides AdultFriendFinder . com, the Friend Finder Network includes numerous adult-oriented “hookup” websites which include Penthouse.com.
Adult Friend Finder Hack Background
In mid-2015 when the Ashley Madison hack by the self-styled vigilante group known as the “Impact Team” occurred, one would expect that any organization dealing with such sensitive topics as adultery would have had the intelligence, and foresight, to ensure that their applications and sensitive user data were as secure as possible. Unfortunately, this was not the case.
Prior to the July 2015 Ashley Madison hack, the Friend Finder Network had an additional wakeup call to their insufficient state of security when over 3 million active users had some personal details leaked. This data included their sexual preference – something not leaked in this current hack.
Unlike financially motivated hacks, these highly personal data breaches can wreak havoc whose damage cannot be undone with an updated password. The amount of personal details leaked here (including, among other things, passwords, last login, and email address) can tear families apart, jeopardize jobs and even worse.
The professional nature of many of the email addresses found in the Ashley Madison hack (.gov, .mil, etc.) should have served as a wakeup call for users engaging in this behavior, however with the professional emails contained in this breach seems to show that people are still using work accounts for questionable activity.
15 Million Deleted Accounts?
Additionally, LeakedSource.com noted that a number of the emails had certain characteristics that could indicate that they were from users who may have attempted to delete their accounts:
“While perusing the data we noticed that a significant amount of users had an email in the format of: firstname.lastname@example.org@deleted1.com. Uh-oh.
We’ve seen this situation many times before and it likely means these were users who tried to delete their account but the data is obviously still kept around because you know, we’re looking at it. According to a reporter it is impossible to register an account using an email that’s formatted this way which means the addition of “@deleted.com” was done behind the scenes by Adult Friend Finder. So counting the amount of emails with “@deleted” near the end, we have 15,766,727 “deleted” accounts in AdultFriendFinder . com.”
Large Data Leaks by Numbers:
2014 Yahoo – 500 million
2016 Adult Friend Finder – 412 million
2013 MySpace – 359 million
2015 Ashley Madison – 33 million
The Local File Inclusion Vulnerability Behind the Hack:
The exploited vulnerability that led to the disastrous breach, and subsequent consequences, of this massive hack is a Local File Inclusion (LFI).
Local File Inclusions, when exploited, allow attackers to execute arbitrary code by influencing the library which is dynamically loaded on the server. Any software library loaded on the server, such as file upload feature, can be included in the attack which can allow the malicious party to control the code run by the application or even enable complete server takeover. In this case, the hacker was able to include files located in a different part of the server in the output of an application.
Local File Inclusions were listed as the second most recorded web application attack vector in Akamai’s Q3 2016 State of the Internet / Security Report behind SQL injections (SQLi).
How Could this Hack have been Prevented?
When it comes to protecting against Local File Inclusion vulnerabilities, do not dynamically load code libraries, especially not based on user input.
Additionally, it is necessary to use untrusted data to select the library to be loaded, verify the input matches a predefined set of whitelisted library names. Alternatively, use the input as an identifier to select from the whitelisted libraries.
Further reading: OWASP PHP File Inclusion
While it’s clear that it was a Local File Inclusion that allowed malicious parties to access the private user details of millions of users, there is a second security flaw that adds another risk to this already devastating hack: insufficient encryption.
Anyone who was able to access the excel sheets containing the leaked data is able to see that the “user name” column contains encrypted passwords. The encryption method employed to keep prying eyes away from the plain text versions, however, is Secure Hash algorithm 1 (SHA-1) which back in 2005 was deemed by cryptanalysts too insecure for ongoing use.
Further Reading: All About Encryption: Security, News and a Brief History
Securing Your PHP Code
Using BuiltWith.com, it’s easy to see that this LFI would have been contained within the PHP code used to power Adult Friend Finder. As over a quarter of all websites on the internet are built using PHP it’s critical to use an application security testing solution in order to ensure that vulnerabilities do not make it to production.
Checkmarx’s CxSAST, a static code analysis solution, stands out amongst PHP testing solutions as not only the solution which will keep your PHP code free from both security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.
Read more about PHP security vulnerabilities and a full language overview here.