Confusion, Recriminations Surround PlentyofFish Breach

2011-01-31T19:28:30
ID THREATPOST:BD0D8BEAF28C8B702F47B677A9E72D0E
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:09:40

Description

Controversy has erupted around the free online dating site, PlentyofFish.com, after the Web site was
found to contain a serious security vulnerability that could have potentially exposed the personal
information of some 30 million users.

In another chapter of the annals of “No Good Deed Goes Unpunished,” the security researcher who discovered the vulnerability and attempted to disclose it confidentially has found himself accused of conspiracy and criminal hacking by the dating site’s founder, Markus Frind.

The story was first publicized by security report Brian Krebs on his Krebs
on Security
blog. According to the published report, he was contacted by Argentinian security researcher Chris
Russo
on January 19 regarding the Web vulnerability. According to Krebs, Russo had been a source regarding an earlier vulnerability in the Pirate Bay that exposed the personal information
of 4 million users in July of last year
.

This time Russo claimed that he
and some friends found a SQL injection bug in PlentyofFish through which they could access account
and password information of any of the site’s users. Russo then asked Krebs to
create an account so he could prove this. Krebs did so, at which point he was
again contacted by Russo, who regurgitated Krebs’s registration information
back to him.

According to an interview Russo granted to the Web site Grumomedia.com, the vulnerabilities he discovered could allow any attacker to access and backup the database used by the webserver or gain access to the site. Russo also discovered that PlentyofFish stored user passwords in clear text, without the benefit of encryption. These and other holes were properly documented by his team without exposing any personal information, he told Grumomedia.com.

After learning of the hole, Krebs attempted to contact Frind, going so far as to contact the founder’s wife, but never hearing from Frind himself. The reasons for that became clear after a post, purportedly penned by Frind on the PlentyofFish
Blog
, claiming to be a “personal
post about what it feels like to be hacked/extorted.” In the post, Frind accused Russo of attempting to extort him and five other “very famous” dating
sites and being in cahoots with Russian mobsters.

In an e-mail to Threatpost.com, Frind said that he felt Krebs was being manipulated by Russo in an attempt to establish a “mass sense of confusion.” Russo’s attempts to compromise Plenty of Fish “generated hundreds of errors …as a result we have detailed logs about what SQL statements he
ran and what data he got back.”

In a follow-up statement Monday, Frind said that a hacker gained access to 345 accounts that were successfully exported” from the site.

Russo claimed that Frind resolved the vulnerability and was initially
cooperative, but became progressively more aggressive as time went on.

Attacks aimed at Web sites that hold valuable information such as personally identifiable information or financial and banking data are on the increase, according to Jeremiah Grossman of the Web security firm WhiteHat. “The nature of the attack
demonstrates how companies’ websites are increasingly the entry point for
corporate data theft,” Grossman wrote in an e-mail statement.