Adult Friend Finder

The document analyzes data breaches at Adult Friend Finder and Capital One, highlighting vulnerabilities such as Local File Inclusion (LFI) and Server Side Request Forgery (SSRF) that led to the exposure of personal information. It emphasizes the need for stronger security measures, including better password hashing, continuous monitoring, and employee training to prevent future incidents. Recommendations for both organizations include implementing robust web application firewalls, intrusion detection systems, and proper data management practices.

Uploaded by

Reema Giri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

78 views4 pages

Adult Friend Finder

Uploaded by

Reema Giri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 4

Breach Analysis – Adult Friend Finder & Capital One

By - Reema Giri
Instructor – Jeff Clark
11/20/20
Adult Friend Finder

Adult friend finder is an online platform for adults dating, affairs, etc. In 2016, Almost 412 million user
accounts were exposed using a vulnerability compromising some of the sites owned by Adult friend
finders such as cams.com; penthouse.com, and others leaking Personal Identification Information (PII),
credit card information and all this information were 20 years of stored data.

How did this happen? – The friend finer network was attacked using a Local File Inclusion (LFI) that
tricked and exposed all of the network’s websites. The attacker very easily injected the malicious code in
a PHP script format tricking the user while using the web application. Not every time can the hackers can
change or inject the code as some of the applications don’t save random codes without authorization
but unfortunately in our case, I have listed the below findings:

1. An outside source alerted about the possibility of LFI vulnerability but unsure if any actions were
taken
2. The web application was vulnerable because of poor security policies
3. The hacker was easily able to inject malicious code into the web application which resulted in
access to the database
4. When the file was added, it was not caught during testing so the hacker had the “keys to the
castle”
5. There was no proper Web App Firewall in place
6. Almost 15 million user accounts that were requested to be “deleted” were apparently still in the
database
7. The information of the users leaked was from 6 different databases and these passwords were
save in the form of plaintext and the rest using the SHA-1 hash function. SHA-1 hashing is just
like MD5 that was used at the Ashley Madison attack, these password hashing were created to
be one of the password protectors but it was also known as one with the most extensive
vulnerabilities
8. Another reason for this attack was a result of not following the Software Development Life Cycle
(SDLC) where the account information and other details of the users were not “deleted” even
after the user requested them to be deleted
9. Hundreds of millions of dollars worth of lawsuit, regulatory action by the government for not
safely protecting the Personal Identifiable Information (PII) as it should have been

Unknown Author is
by
Unknown
Attackers look executed LFI from attacker’s website server downloaded the code
For vulnerabilities to server website giving away the keys to the castle

PII of current user and

users who requested All PII exposed
the information to be
deleted
In my opinion, a few things could be done to protect any future attacks compromising user PII’s. A
password hashing is a very critical vulnerability so that needs to be protected there using a stronger
algorithm. Passwords should not only be alphabets and number but should also be case sensitive
and must include special characters. It is very important to understand that the shortest passwords
are more prone to be found/ decrypt than a longer/ stronger one. Change of passwords in regular
intervals will also play an important role.

When there are warning or threats of vulnerabilities, it is very very important to be looked after
right away as a precaution. “Its better to be safe than be sorry”. Proper usage of logging and
monitoring will help reduce and find any malicious activity right away. For a sensitive business-like
Adult Friend Finder, it is a good option to have continuous monitoring in place to continuously
monitor all activities.

During the development of the website, a strong web app firewall should be in place that identifies,
validates and alerts any suspicious activity. Testing and validating would be an extraordinary step to
be taken as part of the development phase. During this phase, few different testings will add on
extra security measures such as the penetration testing, customer acceptance testing and
preproduction testing to determine the level of security provided to the applications.

Last but not the least anytime a user requests to delete account or information or change of
information, then the data should be safely erased or encrypt the data that’s needs to be exfiltrated.
Capital One

Capital one is one of the largest banks and a bank that values of having technology that’s as
important as Banking. Despite of this organization is a high technology banking, the breach occurred
in July 2019 exposing customer information that was available from the applications that were filled
out for credit cards.

A responsible citizen emailed capital one advising that they found information of Capital One’s
customer on a GitHub page which was then published by their disclosure program. The question is
how did this one individual get access to these data that was stored on AWS cloud computing? The
answer is always the same the vulnerability(in our case it is the Server Side Request Forgery – SSRF
Vulnerability) in the security measures taken and insider job. The individual scanned thru a self-
created software tool that helped identify company firewalls with misconfigurations and with poor
security controls lead the way to this incident.

The data breach wouldn’t have been breached if there were proper security controls in place to
alert unauthorized traffic from a cloud environment. So, a proper usage of an intrusion detection
system could help the future incidents.

Even though AWS, as the cloud computing environment logged and monitored, in my strong opinion
Capital One should also have the access to be alerted of such activities instead of just keep the logs
for auditing purposes. A continuous monitoring and active log auditing from AWS might help reduce
and quickly find any malicious activity before hand.

Since it is an insider who exploited and exposed, it is very important and be made a mandate to train
every employee and regulate them with new policies and procedures. Rotation of jobs/ duties
would be a good recommendation along with access controls and proper change management in
place. It is important that the employees be rotated within teams or cross teams to make sure they
do no have access to anything for a longer period.

As a bigger organization, it is important that Capital One also focuses on another frame works as
NIST alone is never sufficient.

When the credit applications are received, validated, and processed they were stored in the cloud
but instead they should have been encrypted and exfiltrated.