Fears that lack of security in cheating website Ashley Madison could result in massive nude picture leak
Public photos are available for anyone on the site to see but private photos can only be accessed with a 'key'. The only problem is, if another person shares their key first, then Ashley Madison automatically shares a user's key with that person.
Extramarital dating site, Ashley Madison, went through a catastrophic hack in 2015, but people still use it to get all the action outside of their marriages. Everyone needs to know that their privacy will be protected at all costs.
After all, they're cheating on their spouses by being on this site. After the hack and ensuing lawsuits and scandals, Ashley Madison has still managed to keep most of its clients and has even gained some new ones. The only problem is, there are very private photos belonging to a large number of people that are exposed.
There are photos that are supposed to be hidden from public view on the site. Public photos are available for anyone on the site to see but private photos can only be accessed with a 'key'. The only problem is, if another person shares their key first, then Ashley Madison automatically shares a user's key with that person. Basically, even if you decline to share your private key, it's still possible for someone else to get to your pictures without prior authorization.
This means that you can sign up and start accessing private pictures almost immediately. According to Matt Svensson and Bob Diachenko from cybersecurity firm Kromtech, the situation gets worse when you have the capability of signing up multiple accounts with a single email address.
This means that hackers have access to thousands of personal pictures. Svensson says, "This makes it much easier to brute force. Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or a couple of thousand users' private pictures per day."
There is another major issue. Anyone who has the link can access the pictures. Ashley Madison has made it really difficult to figure out the URL, but it's still possible to get the photos. Even those who have not signed up on the site can access the photos if they get a link.
"Fappening" could very much be a reality again if this keeps up. The Fappening was the event where dozens of celebrities had nude photos of them published online, but according to Svensson, this time it'll be the site's users as victims.
By deanonymizing users on the site, it has proven extremely easy for malicious people to crosscheck usernames on social media sites and find them. Svensson says, "A malicious actor could get all of the nude photos and dump them online. I successfully found a few people this way. Each one of them immediately disabled their Ashley Madison account."
These attacks could prove to be high risk for users who were exposed in the 2015 hack and in particular, the ones who were blackmailed by opportunists. "Now you can tie pictures, possibly nude pictures, to an identity. This opens a person up to new blackmail schemes," warned Svensson.
Diachenko said of the kind of photos that were accessible in their test, "I didn't see much of them, only a couple, to confirm the theory. But some were of pretty private nature."
The two researchers have been in contact with Ashley Madison's security team over the past months. They've been praising the site for taking a proactive approach to dealing with their problems. One of the updates that were made to the site prevents users from sending out multiple keys, which in turn will prevent anyone from accessing a large number of photos.
The company has also added an "anomaly detection" feature to flag abuses of the feature.
In an odd decision, the company did not change the default setting that sees private keys shared with anyone who hands out their own. Ashley Madison owner Ruby Life has the feature off by default on two of its other sites, Cougar Life and Established Men.
By default, the option to share private images is on, but users can turn it off in the settings. Often though, users forget to switch the sharing off. The researchers, in their tests, gave a private key to users randomly. Almost 64% shared this private key.
Ruby Life chief information security officer, Matthew Maglieri, said in an email statement to Forbes that the company was happy to work with Svensson on the issues that Ashley Madison is going through. "We can confirm that his findings were corrected and that we have no evidence that any user images were compromised and/or shared outside of the normal course of our member interaction," Maglieri said.
"We do know our work is not finished. As part of our ongoing efforts, we work closely with the security research community to proactively identify opportunities to improve the security and privacy controls for our members, and we maintain an active bug bounty program through our partnership with HackerOne. All product features are transparent and allow our members total control over the management of their privacy settings and user experience."
Svensson believes Ashley Madison should remove the auto-sharing feature entirely and said it appeared the ability to run brute force attacks had likely been around for a long time. "The issues that allowed for this attack method are due to long-standing business decisions," he told Forbes.
"Maybe the [2015 hack] should have caused them to re-think their assumptions. Sadly, they knew that pictures could be accessed without authentication and relied on security through obscurity."
If you have any views or stories that you would like to share with us, drop us an email at firstname.lastname@example.org