Ashley Madison 2.0? The Site May Be Cheating the Cheaters by Exposing Their Private Pictures
Ashley Madison, the online dating/cheating site that became immensely popular after a damning 2015 hack, is back in the news. Only earlier this month, the company's CEO had boasted that the site had started to recover from its catastrophic 2015 hack and that the user growth is recovering to levels of before this cyberattack that exposed personal data of millions of its users - users who found themselves in the middle of scandals for having signed up and potentially used the adultery website.
“You have to make [security] your number one priority,” Ruben Buell, the company's new president and CTO had claimed. "There really can’t be anything more important than the users' discretion and the users' privacy and the users' security."
Hmm, or is it so...
It appears that the newfound trust among AM users was temporary as security researchers have revealed that the site has left private photos of many of its clients exposed online. "Ashley Madison, the online cheating site that was hacked two years ago, is still exposing its users' data," security researchers at Kromtech wrote today.
"This time, it is because of poor technical and logical implementations."
Bob Diachenko of Kromtech and Matt Svensson, an independent security researcher, discovered that due to these technical flaws, nearly 64% of private, often explicit, pictures are accessible on the site even to those not on the platform.
"This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year's leak of names and addresses," researchers warned.
What is the problem with Ashley Madison now
AM users can set their pictures as either public or private. While public photos are visible to any Ashley Madison user, Diachenko said that private pictures are secured by a key that users may share with each other to view these private images.
For example, one user can request to see another user's private pictures (predominantly nudes - it's AM, after all) and only after the explicit approval of that user can the first view these private pictures. At any time, a user can decide to revoke this access even after a key has been shared. While this may seem like a no-problem, the issue happens when a user initiates this access by sharing their own key, in which case AM sends the latter's key without their approval. Here's a scenario shared by the researchers (emphasis is ours):
To protect her privacy, Sarah created a generic username, unlike any others she uses and made all of her pictures private. She has denied two key requests because the people did not seem trustworthy. Jim skipped the request to Sarah and simply sent her his key. By default, AM will automatically give Jim Sarah's key.
This essentially enables people to just sign up on AM, share their key with random people and receive their private photos, potentially leading to massive data leaks if a hacker is persistent. "Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or couple of thousand users' private pictures per day," Svensson wrote.
The other issue is the URL of the private picture that enables anyone with the link to access the picture even without authentication or being on the platform. This means that even after someone revokes access, their private pictures remain accessible to others. "While the picture URL is too long to brute-force (32 characters), AM's reliance on "security through obscurity" opened the door to persistent access to users' private pictures, even after AM was told to deny someone access," researchers explained.
Users can be victims of blackmail as exposed private pictures can facilitate deanonymization
This puts AM users at risk of exposure even if they used a fake name since images can be tied to real people. "These, now accessible, pictures can be trivially linked to people by combining them with last year's dump of email addresses and names with this access by matching profile numbers and usernames," researchers said.
In short, this would be a mix of the 2015 AM hack and the Fappening scandals making this potential dump much more personal and devastating than previous hacks. "A malicious actor could get all of the nude photos and dump them online," Svensson wrote. "I successfully found a few people this way. Each one of them immediately disabled their Ashley Madison account."
After researchers contacted AM, Forbes reported that the site put a limit on how many keys a user can send out, potentially stopping anyone trying to access large number of private photos at speed using some automated program. However, it is yet to change this setting of automatically sharing private keys with someone who shares theirs first. Users can protect themselves by going into settings and disabling the default option of automatically exchanging private keys (researchers revealed that 64% of all users had kept their settings at default).
"Maybe the [2015 AM hack] should have caused them to re-think their assumptions," Svensson said. "Sadly, they knew that pictures could be accessed without authentication and relied on security through obscurity."