MilitarySingles.com’s treasure trove of user passwords recently came under attack by hackers, who devised a new twist in exploiting a weakness in the upload filter for user-generated content.
Security vendor Imperva dissected this interesting attack in their report and it’s a worthwhile read.
Hackers were able to obtain more than 170,000 records from the site by uploading malware using a Remote File Inclusion exploit in March. While this isn’t anything new, the unusual aspect of this attack is how passwords for each MilitarySingles.com user were stored on the site and that an upload filter designed to protect the site failed.
Militarysingles.com’s site allowed users to upload their profile pictures. All well and good: after all, how else can you have a dating site without letting the folks post their pics?
But the application designer used a flawed strategy to restrict the upload of files only to picture files. The filter was flawed. First, it only checked file extensions, so someone could upload malware.exe.jpg and would pass the filter, because it had the “right” extension.
Second, the attackers used a proxy to fiddle with traffic after it had passed client-side security implemented on the browser. The bad guys were able to change the filename without changing the “image” content-type, so it could execute on the server.
Imperva has some solid suggestions to improve file upload security in its report:
- Assign minimal permissions to the uploaded content – especially not giving the file executable permissions.
- Host user-generated content on a different domain or even on a different server entirely. That way, even if the code is malicious it’s not evaluated in the context of your site, or on the machine that stores sensitive data and resources. For example – Facebook stores user uploads on fbcdn.net domain which is hosted on Akamai machines.
- Treat passwords properly. The site stored its passwords using an older hashing technology (MD5) that was easily cracked. You should use newer and more secure encryption methods.
- ADC Hacker Intelligence Initiative [Imperva]