Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action.
For those who've stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.
The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users' public pictures are viewable by anyone who's signed up, private photos are secured by a "key." But Ashley Madison automatically shares a user's key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it's still possible to get them without authorization.
This makes it possible to sign up and start accessing private photos. Exacerbating the issue is the ability to sign up multiple accounts with a single email address, said independent researcher Matt Svensson and Bob Diachenko from cybersecurity firm Kromtech, which published a blog post on the research Wednesday. That means a hacker could quickly set up a vast number of accounts to start acquiring photos at speed. "This makes it much easier to brute force," said Svensson. "Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or couple of thousand users' private pictures per day."
There was another issue: pictures are accessible to anyone who has the link. Whilst Ashley Madison has made it extraordinarily difficult to guess the URL, it's possible to use the first attack to acquire photos before sharing outside the platform, the researchers said. Even those who aren't signed up to Ashley Madison can access the images by clicking the links.
This could all lead to a similar event as the "Fappening," where celebrities had their private nude images published online, though in this case it would be Ashley Madison users as the victims, warned Svensson. "A malicious actor could get all of the nude photos and dump them online," he added, noting that deanonymizing users had proven easy by crosschecking usernames on social media sites. "I successfully found a few people this way. Each one of them immediately disabled their Ashley Madison account," said Svensson.
He said such attacks could pose a high risk to users who were exposed in the 2015 breach, in particular those who were blackmailed by opportunistic criminals. "Now you can tie pictures, possibly nude pictures, to an identity. This opens a person up to new blackmail schemes," warned Svensson.
Talking about the kinds of photos that were accessible in their tests, Diachenko said: "I didn't see much of them, only a couple, to confirm the theory. But some were of pretty private nature."
Half fixed problem?
Over recent months, the researchers have been in touch with Ashley Madison's security team, praising the dating site for taking a proactive approach in addressing the problems. One update saw a limit placed on how many keys a user can send out, which should stop anyone trying to access a large number of private photos at speed, according to the researchers. Svensson said the company had added "anomaly detection" to flag possible abuses of the feature.
But the company chose not to change the default setting that sees private keys shared with anyone who hands out their own. That might come across as an odd decision, given Ashley Madison owner Ruby Life has the feature off by default on two of its other sites, Cougar Life and Established Men.
Users can save themselves. Whilst by default the option to share private photos with anyone who've granted access to their images is turned on, users can turn it off with the simple click of a button in settings. But oftentimes it appears users haven't switched sharing off. In their tests, the researchers gave a private key to a random sample of users who had private pictures. Nearly two-thirds (64%) shared their private key.
In an emailed statement, Ruby Life chief information security officer Matthew Maglieri said the company was happy to work with Svensson on the issues. "We can confirm that his findings were corrected and that we have no evidence that any user images were compromised and/or shared outside of the normal course of our member interaction," Maglieri said.
"We do know our work is not finished. As part of our ongoing efforts, we work closely with the security research community to proactively identify opportunities to improve the security and privacy controls for our members, and we maintain an active bug bounty program through our partnership with HackerOne.
"All product features are transparent and allow our members total control over the management of their privacy settings and user experience." Svensson, who believes Ashley Madison should remove the auto-sharing feature entirely, said it appeared the ability to run brute force attacks had likely been around for a long time. "The issues that allowed for this attack method are due to long-standing business decisions," he told.
"Maybe the [2015 hack] should have caused them to re-think their assumptions. Sadly, they knew that pictures could be accessed without authentication and relied on security through obscurity."
110 Reykjavik, Iceland