CASE STUDY: Sex, Lies, & SQL Injection

CASE STUDY: "SEX, LIES, & SQL INJECTION"

BRIEFING

Ashey Madison, Adult Friend Finders, and other online sex and swingers sites seek to provide individuals with an online place to meet other married individuals.  These sites effectively visualize, facilitate and monetize infidelity.  The operators of these sites pride themselves on security and discretion.  They were wrong.

In recent years many, if not all, of the biggest “hookup” sites have suffered major data breaches. These sites include Adult Friend Finder, Ashley Madison, Moco Space, Penthouse, and Muslim Match.  

In July 2015, the adult dating site AshleyMadison.com was breached.  A hacker team calling itself

“The Impact Team”

claimed responsibility for the attack.  The group demanded that the site close down.  The hackers have Avid Life Media, the parent company of Ashley Madison, thirty (30) days to complete.  The Daily Mail reported that,

“When the CEO Noel Biderman refused to close the site after the 30 day period 30 million user details were released. “  

Included in the data released by the hackers were thousands of email addresses with the “.gov” and “.mil” domain extension.  Numerous emails with the “.sa” extension were discovered.  This top level domain is associated with Saudi Arabia.  It has been reported that adultery is punishable by death in the Saudi Kingdom.  In the wake of the data leak, a number of suicides, including that of a New Orleans Baptist Theological Seminary pastor and preacher named John Gibson.  He took is own life  six(6) days after the leak was made public.

In July 2016, Researcher Troy Hunt revealed that the hookup site Muslim Match has been hacked.  The BBC reported

“More than 700,000 private messages between members have also been leaked...”

in the breach of the site. The information leaked contained,

“[d]etails of members' employers, location, marriage status and whether they were a convert to Islam were revealed, as well as names, email addresses, Skype handles and IP addresses...”

In October 2016, Motherboard reported that the adult hookup site AdultFriendFinder had been hacked for what appeared to be a second time.  At least two threat actors took credit for the breach.

The Guardian reports that the AdultFriendFinder breach was among the largest in history,

“...exposing the private details of more than 412m accounts and making it one of the largest data breaches ever recorded, ..”  

The Guardian cited LeakedSource, a threat research firm, who stated that

“Passwords were stored by Friend Finder Networks either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination.”  

LeakedSource indicated that

“Among the leaked account details were 78,301 US military email addresses, 5,650 US government email addresses and over 96m Hotmail accounts. The leaked database also included the details of what appear to be almost 16m deleted accounts, ...”  

Furthermore,

“Over 99% of all the passwords, including those hashed with SHA-1, were cracked by Leaked Source meaning that any protection applied to them by Friend Finder Networks was wholly ineffective.”

ANALYSIS

In each data breach instance, threat actors were able to identify and exploit website and database vulnerabilities.   Cross Site Scripting (CSS) vulnerabilities exist in web interfaces.   These vulnerabilites allow a threat actor to inject malicious client-side code into web pages.   SQL (Structure Query Language) injection vulnerabilities exisit when client-side input into forms is not validated or filtered to prevent executable SQL statements from reaching backend databases. 

When announcing the breach of Avid Life Media’s systems, The Impact Team stated,

"We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off.”

CSO Online reports that in order to substantiate their claim to the breach The Impact Team,  

“released nearly 40 MB of data as proof of their claims, which includes limited credit card transaction details, zone data on two domains, as well as several documents taken form the ALM data servers.”

CSO Online reports that among the  

“leaked documents is an infrastructure overview of [Avid Life Media], including a technical map of the network, and a detailed breakdown of the apps and services used on the company's front-rail and back-rail servers.”

SUMMARY

The impact of these hacks resulted in enormous financial.  The hacks resulted in the destruction of marriages and families.  A number of people are believed to have taken their own lives as result of having their infidelity exposed to the public.  There were national security implications associated with the AshleyMadision and AdultFriendFinder leaks.  Large numbers of current military and Federal government employees were exposed.  Many of these individuals hold security clearances.  Knowledge of their immoral conduct creates the condition for blackmail.  

CONCLUSION

Vigilox Threat Research provides the vulnerability scans and consulting services needed to detect and resolve commonly attack vulnerabilities such as Cross Site Scripting(CSS) and SQL Injections (SQLi).  Vigilox Security Operations Center (SOC) is a fully managed Unified Threat Management (UTM) solution for your enterprise.  Our SOC provides real-time monitoring of mission-critical assets for Indications of Compromise (IoC) consistent with CSS and SQLi attacks.

Tags