Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


FFGBEACH = HEAD+DESK  

Let me start by saying I was not sure about writing this particular article but after some serious thought I figured not doing so would be doing more harm then doing it. This article is a documentation of a tragedy of errors that shows how bad things can be, the lies a company can tell and just general stupidity (I make no apologies for using that term by the way). Before we start, all screenshots I show come from the last 2 days. This is important as you will see...

I make a point of trying to keep fairly up to date with password leaks and dumps. so I saw these:


..and


Now the pastebin link shows when it was posted - December 2012. So I thought "no way is this still valid, this would be gone by now. I mean I am 4 months late!". But I still went to go take a look optimist that I am (silly, silly me). And I see this:


WTF! Directly after seeing this I am telling myself "No way is this real, this is a fake dump! Still live after 4 months? Has to be fake.". So I looked around I little. I went to the "php" folder in the url:

I went back to the root of the site:

I went digging a bit and saw:




Once again.... WTF!! So a large part of me still thinks this fake, but now I start thinking maybe (looking at the folder structure) someone has compromised a site and has moved the juicy files onto a holding site. So I dig a bit more:



All together now.... W. T. F. !! So I was wrong. "fashionfantasygame.com" is very much linked to "ffgbeach.com". So what can I find about "fashionfantasygame.com"? Lets start with the whois/dns information:



Interesting. Lets take a look at the site itself:

Read that very carefully. Look at the audience of this site. Now lets look at the privacy policy:


Again, read section 6 well. Credit card information? Allow me to explain to "fashionfantasygame.com" a technical term that is appropriate for describing your security measures and privacy policy, it's "BULLSHIT". This is a site aimed at "young ladies" where paypal and credit cards are used, where social interaction is encouraged, and this is the level of care you think is appropriate!! That sql file has been known to the less savoury parts of the internet for at least the last 4 months! But...take a deep breath... is it that bad? In a word, yes. The hashes are unsalted md5 hashes. I took a quick run through them and I cracked over 80%. To be exact at this exact moment as I write this (and it is still running), I have 68245 hashes left. I have taken a quick look through the passwords as well, there was very poor password enforcement if anything - the password "123456" is used thousands of times.

So lets recap:
We have a site ("fashionfantasygame.com") that deals with credit card and paypal data, is aimed at young ladies and has had a sql dump of their users publicly available to the internet for at least 4 months. They did not salt the passwords. They did not enforce good password standards. I cannot express the amount of "FAIL" this encompasses.

When I first started looking at this, I thought "someone else must have written on this. someone else must have mentioned this." Well, I could not find anything. If someone did, then good on you. But what about now? My personal suggestions are:
1) All users of "fashionfantasygame.com" past and present - please, please change your passwords. All of them. Check your online accounts to make sure nothing has been tampered with.
2) All users of "fashionfantasygame.com" present - quit "fashionfantasygame.com". Or if you feel like giving them a chance in spite of their documented lack of care, then raise your voice and get them to notify their users and change their process and setup. Get them to take measurable steps to earn your trust back.
3) "fashionfantasygame.com" - ....I actually have no words. Or to be more exact, I have no polite words for this level of due care with the data of minors. Find someone who knows what the hell they are doing and let them do what they need to.

Ok, I have had enough ranting, go and be good.