[BreachExchange] Data Breaches Are Catching People With Their Pants Down

Destry Winant destry at riskbasedsecurity.com
Wed Sep 18 10:15:27 EDT 2019


https://www.riskbasedsecurity.com/2019/09/09/data-breaches-are-catching-people-with-their-pants-down/

Data breaches aren’t slowing down, in fact, it seems that they are
accelerating. As of June 30th, there have been 3,813 breaches exposing
over 4.1 billion records. Compared to the total as of midyear 2018,
the number of breaches was up 54% and the number of exposed records
was up 52%.

It seems like the news bombards us with breach after breach, with big
companies like Equifax simply saying, “We’re sorry. (Sorry you found
out).” Sadly enough, many breaches result from unsecured databases
being found by researchers where sensitive information is simply out
in the open, ripe for the taking. In some cases, the database has been
like that for an extended period of time so it is hard to say who has
been in it or what has been already taken.

Even when researchers reach out to these companies about the
situation, they mostly receive silence or a simple “thank you” that
implies that they were already aware. This attitude seeps into the
resulting press release when an exposure comes to light, and after
hearing the same thing over and over again, you can’t blame the
general populace for being numb to the ramifications or to the
potential scares of a breach.

So What

Like we mentioned in our 2019 MidYear Data Breach QuickView Report,
some customers will simply shrug off the inconvenience of a breach.
Fixing a stolen identity case is extremely time consuming, but the
fact of the matter is not every person has to deal with that
situation, so unless it explicitly happens to you, you probably don’t
care. No harm, no foul. But what happens if you get caught with your
pants down?

We all know that adult websites and apps exist and in the month of
August, the internet’s veil of anonymity was shattered. We won’t
judge, but two breaches could have crazy ramifications for those
involved. Have you ever wondered who in the world has the time or
energy to leave those insane comments? Ever wondered who is looking
for “local kinky, open-minded people” in your area? Well, it turns out
that with these data breaches you can actually find out. Scandalous.

3Fun

In the beginning of August, we shared an article on our social media
channels detailing the security concerns of the group dating app 3Fun.
The app, which allows users to find “local kinky, open-minded people”
had numerous issues that resulted in 1.5 million users being exposed.
Here were the issues:

Exact user location, birth date, sexual orientation, and private
photos are accessible in the app or could be queried via the server
API.
Hiding one’s location or setting a privacy setting on other sensitive
information only filtered the data in the app itself. Everything set
to private could still be queried via the server API.

When we consulted our Chief Research Officer, Carsten Eiram about the
topic, he summed up their security in the following quote:

“Awful.”

Carsten Eiram, Chief Research Officer at Risk Based Security

In most situations, any attacker trying to find an exact user’s
location would have to ‘trilaterate’ by spoofing GPS coordinates in
order to track the distance. However, in 3Fun’s case, there is no
need. If the privacy feature isn’t set, the app provides the user’s
latitude and longitude within the app. Even if the privacy feature is
applied the information is always available via the server API.

The scariest thing about this GPS leak is that an attacker can track a
target in near real-time and observe their private activities. Using
this information, an attacker can gather more intel on a specific
individual and then sort through the app for photos, chat logs, and a
birthday in order to fully hone in on a target. In Pen Test Partner’s
write up they were able to map out users within major cities and if
they were malicious, they could single out high-profile targets and
attempt to blackmail or dox them with this information.

Given this discovery, what was 3Fun’s response when notified?
According to the researchers of Pen Test Partners, 3Fun responded with
the following:

“Dear Alex, Thanks for your kindly reminding. We will fix the problems
as soon as possible. Do you have any suggestion? Regards, The 3Fun
Team”

3Fun

You can find more details in Pen Test Partner’s write up.

Luscious.net

Adding on to our dirty list of breaches, Luscious.net, a popular
hentai porn site (adult cartoons), also suffered a breach exposing
1.195 million global users. The cause? An unsecured database that was
authenticated incorrectly.

Within the database were usernames, locations, email addresses, and in
some cases full names of members. However, InfoSecurity also reports
that cybersecurity researchers Noam Rotem and Ran Locar were able to
connect extremely personal content in the form of comments and uploads
to specific individuals. In an environment where internet anonymity is
truly important, this exposure is even more relevant since a number of
users enlisted in Luscious’ services with official government email
addresses.

Like the 3Fun breach, the potential of singling out high-profile
targets is very high. Sexuality can be a taboo topic and this is
amplified even further due to the website’s already niché fetish. An
attacker could track down a government user and see exactly how many
image albums they created, how many videos they uploaded, any comments
made, and all the accounts or videos they followed. Given the current
climate where one Tweet can ruin a career, one can only imagine the
kind of leverage an attacker would have over a government employee.

As alarming as this is, the response that the researchers got after
disclosing these issues is equally as glaring as the vulnerabilities
uncovered. Even though Luscious’ patching process took care of the
issue within four days, Rotem and Locar were met with silence when
they disclosed the situation. According to Forbes’ account, both
researchers had initially emailed the creator of the site to no avail.
Once it was concluded that email was a dead end, they reached out via
Facebook Messenger, LinkedIn, and SMS text. Still no response. It
wasn’t until after initial publication of the story that the owner
confirmed the vulnerability and stated,

“We will be reaching out to any compromised users to warn them about
the potential exposure of their private email addresses.”

Luscious.net site owner

Concerns of a Consumer

Obviously, no one is completely safe and even the most secure
organizations have weak points. A data breach can happen to anybody.
But as we have seen, organizations have to deal with the situation
properly. Equifax is having a PR disaster and if you want further
analysis, our researchers had covered the breach back when it
initially unfolded in 2017. So many organizations are treating
breaches as “business as usual” and treat disclosure as a last resort.
This is not the best practice and the general population has a right
to know when their sensitive data has been exposed.

If that is the case, what is the issue? Why can’t vendors just patch
something once it comes out and why do these databases get
authenticated incorrectly in the first place? Simply fix the
vulnerability when a research team reaches out. Alas, it isn’t as
simple, but sometimes it is.

Concerns of a Business Owner

If you’re a business owner then you probably have different concerns.
Regardless of which industry you are in, you are in constant contact
with a multitude of vendors and other organizations. Do you want to do
business with or be affiliated with a vendor who has an Equifax
approach of safeguarding data? You need to know the likelihood of this
before you hand your trust over. In a perfect world you would be able
to know which organizations have suffered a breach, if they are
suffering from one now, or if they are likely to be breached. You want
to know which vendors actually patch and which ones have a track
record of ignoring research. Well, there is a way to get this data for
your risk management plan.

We’ll be the belt. Keep your pants up.


More information about the BreachExchange mailing list