Researcher says Adult Friend Finder vulnerable to file inclusion vulnerabilities

A researcher known for exposing application flaws posted screenshots showing Local File Inclusion vulnerabilities on Adult Friend Finder. The incident marks the second time in just over a year that the internet hook-up destination has had security problems.

On Tuesday, a researcher who goes by 1×0123 on Twitter, and Revolver in other circles, posted screenshots taken on Adult Friend Finder.

The images show a Local File Inclusion vulnerability (LFI) being triggered. When asked directly,1×0123 confirmed LFI as the vulnerability being exploited, and said it was discovered in a module on the production servers used by Adult Friend Finder.

LFI vulnerabilities allow an attacker to include files located elsewhere on the server into the output of a given application.

In most cases, the LFI results in data being printed to the screen – which is what is happening here – or they can be leveraged to perform more serious actions, including code execution. This vulnerability exists in applications that don’t properly validate user-supplied input, and leverage dynamic file inclusion calls in their code.

In his examples, 1×0123 shows a redacted image of the server’s /etc/passwd file, as well as a database schema generated on September 7, 2016.

The database schema reveals the database names, internal IP details, and the generic six-character password used to access them. All of the listed databases share the same password. Among the databases listed are chat, ffibilling, memberlist, messages, photo, users, and video. In all, there are ninety databases listed.

This isn’t the first time 1×0123 has been in the news. Last May, he published images and claimed to have command injection abilities and shell access to Pornhub. The adult entertainment giant investigated his claims, and after speaking with him directly, they called the incident a hoax.

Perhaps he expects this reaction this time around as well. On Twitter, 1×0123 referenced the previous hoax claims in relation to Adult Friend Finder, stating, “…they will call it hoax again and I will fu—– leak everything.”

Salted Hash reached out to Adult Friend Finder on Tuesday evening for comment and to alert them to the situation.

In a brief statement emailed Wednesday morning, Firend Finder Network’s Vice President,and Senior Counsel of Corporate Compliance & Litigation, Diana Lynn Ballou said:

“We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports.  If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.”

In May of 2015, Adult Friend Finder confirmed that 3.5 million users had their accounts compromised. At the time the records were posted, the data was 74-days old. The person responsible for the data breach – an admin on the hacker forum HELL – said the reasoning was revenge-based, as a friend of his was owed money. The files were published along with a $100,000 USD ransom demand.

As a result, Adult Friend Finder hired FireEye to help with the investigation, the results of which were never made public.