[BreachExchange] Ashley Madison 2.0? The Site May Be Cheating the Cheaters by Exposing Their Private Pictures

[Destry Winant]

https://wccftech.com/ashley-madison-private-pictures-exposed/

Ashley Madison, the online dating/cheating site that became immensely
popular after a damning 2015 hack, is back in the news. Only earlier
this month, the company’s CEO had boasted that the site had started to
recover from its catastrophic 2015 hack and that the user growth is
recovering to levels of before this cyberattack that exposed personal
data of millions of its users – users who found themselves in the
middle of scandals for having signed up and potentially used the
adultery website.

“You have to make [security] your number one priority,” Ruben Buell,
the company’s new president and CTO had claimed. “There really can’t
be anything more important than the users’ discretion and the users’
privacy and the users’ security.”

Hmm, or is it so…

It appears that the newfound trust among AM users was temporary as
security researchers have revealed that the site has left private
photos of many of its clients exposed online. “Ashley Madison, the
online cheating site that was hacked two years ago, is still exposing
its users’ data,” security researchers at Kromtech wrote today.

Bob Diachenko of Kromtech and Matt Svensson, an independent security
researcher, discovered that due to these technical flaws, nearly 64%
of private, often explicit, pictures are accessible on the site even
to those not on the platform.

“This access can often lead to trivial deanonymization of users who
had an assumption of privacy and opens new avenues for blackmail,
especially when combined with last year’s leak of names and
addresses,” researchers warned.

What is the problem with Ashley Madison now

AM users can set their pictures as either public or private. While
public photos are visible to any Ashley Madison user, Diachenko said
that private pictures are secured by a key that users may share with
each other to view these private images.

For example, one user can request to see another user’s private
pictures (predominantly nudes – it’s AM, after all) and only after the
explicit approval of that user can the first view these private
pictures. At any time, a user can decide to revoke this access even
after a key has been shared. While this may seem like a no-problem,
the issue happens when a user initiates this access by sharing their
own key, in which case AM sends the latter’s key without their
approval. Here’s a scenario shared by the researchers (emphasis is
ours):

To protect her privacy, Sarah created a generic username, unlike any
others she uses and made all of her pictures private. She has denied
two key requests because the people did not seem trustworthy. Jim
skipped the request to Sarah and simply sent her his key. By default,
AM will automatically give Jim Sarah’s key.

This essentially enables people to just sign up on AM, share their key
with random people and receive their private photos, potentially
leading to massive data leaks if a hacker is persistent. “Knowing you
can create dozens or hundreds of usernames on the same email, you
could get access to a few hundred or couple of thousand users’ private
pictures per day,” Svensson wrote.

The other issue is the URL of the private picture that enables anyone
with the link to access the picture even without authentication or
being on the platform. This means that even after someone revokes
access, their private pictures remain accessible to others. “While the
picture URL is too long to brute-force (32 characters), AM’s reliance
on “security through obscurity” opened the door to persistent access
to users’ private pictures, even after AM was told to deny someone
access,” researchers explained.

Users can be victims of blackmail as exposed private pictures can
facilitate deanonymization

This puts AM users at risk of exposure even if they used a fake name
since images can be tied to real people. “These, now accessible,
pictures can be trivially linked to people by combining them with last
year’s dump of email addresses and names with this access by matching
profile numbers and usernames,” researchers said.

In short, this would be a mix of the 2015 AM hack and the Fappening
scandals making this potential dump much more personal and devastating
than previous hacks. “A malicious actor could get all of the nude
photos and dump them online,” Svensson wrote. “I successfully found a
few people this way. Each one of them immediately disabled their
Ashley Madison account.”

After researchers contacted AM, Forbes reported that the site put a
limit on how many keys a user can send out, potentially stopping
anyone trying to access large number of private photos at speed using
some automated program. However, it is yet to change this setting of
automatically sharing private keys with someone who shares theirs
first. Users can protect themselves by going into settings and
disabling the default option of automatically exchanging private keys
(researchers revealed that 64% of all users had kept their settings at
default).

“Maybe the [2015 AM hack] should have caused them to re-think their
assumptions,” Svensson said. “Sadly, they knew that pictures could be
accessed without authentication and relied on security through
obscurity.”