How a dating website was impacted by a text file
Malware hits the Mac but is it worth worrying about?
The story was that the names, usernames, passwords and email addresses of the military dating site's members were accessed, and a comment from MilitarySingles.com said there was "no actual evidence" it had been hacked. This led to attackers defacing the site and revealing that email addresses from the US army, navy and Microsoft had been posted online.
Almost two months on, a report appeared last week from Imperva that shed a lot more light on the incident and revealed the truth about the ‘hacking'. The report, 'Dissecting a Hacktivist Attack', showed that rather than a brute-force attack or exposure of a vulnerability inside the website, a more sophisticated measure was used.
A local file inclusion (LFI) attack is conducted when a file is added locally by tricking the server into uploading a file; according to research by Imperva, LFI and remote file inclusion (RFI) attacks accounted for 21 per cent of all application attacks between June and November 2011 on 40 applications.
In this case, the website had a capability for users to upload photos, and the attacker was able to upload a photo as a text file that executed once it was on the server.
Speaking to SC Magazine, Tal Be'ery, senior web researcher at Imperva, said creating a profile is easy as the website wants more members.
He said: “We were able to see that someone uploaded files and some PHP files executed in a PHP environment and knew that it was possible that hackers were using a picture upload. So we took a closer look.”
The report claimed that the application designer was aware of the perils of hosting user-generated content and in order to prevent rogue uploads, filter functionality was implemented to restrict uploads to picture files.
Asked if any image file would be accepted, Be'ery said it would be as there was some validation on the client side but the proper way to do it would be on the server side. So if an attacker used a proxy to interfere with traffic after it had passed the client-side security implemented on the browser, they would be able to change the filename without changing the 'image' content type.
“This is really a very good lesson to take it out as you cannot afford affecting functionality, as with Web 2.0, it is all about user-generated content, so you need to handle with care,” he said.
A solution, according to Imperva, would be to host the content separately, as Facebook does; Be'ery said that in an untrusted environment, things can be analysed and uploaded afterwards.
Asked if a maliciously coded photo would be hard to spot, Be'ery said that with photos you can easily validate the dimensions – and if it is a real photo, it is approved.
He said: “It is about untrusting, you have to have a trusted place on the server. This could have been worse, with passwords stored in plain text rather than hashing, but in this case that was not enough. They should have hashed each password separately so the hacker has to break each password individually. Using salt is the way to do it; it is a matter of knowledge and awareness as a matter of being aware of how to store passwords in the right way.”
The report also recommended the whitelisting of uploaded content and blacklisting to scan for malicious content.
Asked if he felt that this sort of attack could happen again, Be'ery said there are many variants of this type of attack.
“We are very committed to LFI and last year this was in websites where the attacker uploaded malicious content, so really there is a great danger in allowing functionality – it is important to a rich user experience, but you should take necessary precautions when you enable functionality,” he said.
The other question that Imperva raised is whether it is appropriate for military and government employees, with links to sensitive information, to participate in social networking websites, and suggested that new public security policies may be required to prevent future such breaches.
This is a difficult one to argue, as members of the forces and public sector should be as free to use social networking sites as any other person, but they are a target once identified. However, if you create a specific site, such as MilitarySingles.com, then it is one big target for anyone to go after.
What the report from Imperva demonstrated was the ease with which an attacker can access a server with a bit of planning, and this could be far from the last incident reported due to this tactic.