Ashley Madison Caught Exposing Cheaters' Private Photos -

Ashley Madison Caught Exposing Cheaters' Private Photos

Credit: forbes.com

  • Dec 06 2017 15:30About: 6 days ago
  • 16 views

Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who've stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.

The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users' public pictures are viewable by anyone who's signed up, private photos are secured by a "key." But Ashley Madison automatically shares a user's key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it's still possible to get them without authorization.

This makes it possible to sign up and start accessing private photos. Exacerbating the issue is the ability to sign up multiple accounts with a single email address, said independent researcher Matt Svensson and Bob Diachenko from cybersecurity firm Kromtech, which published a blog post on the research Wednesday. That means a hacker could quickly set up a vast number of accounts to start acquiring photos at speed. "This makes it much easier to brute force," said Svensson. "Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or couple of thousand users' private pictures per day."

There was another issue: pictures are accessible to anyone who has the link. Whilst Ashley Madison has made it extraordinarily difficult to guess the URL, it's possible to use the first attack to acquire photos before sharing outside the platform, the researchers said. Even those who aren't signed up to Ashley Madison can access the images by clicking the links.

This could all lead to a similar event as the "Fappening," where celebrities had their private nude images published online, though in this case it would be Ashley Madison users as the victims, warned Svensson. "A malicious actor could get all of the nude photos and dump them online," he added, noting that deanonymizing users had proven easy by crosschecking usernames on social media sites. "I successfully found a few people this way. Each one of them immediately disabled their Ashley Madison account," said Svensson.

He said such attacks could pose a high risk to users who were exposed in the 2015 breach, in particular those who were blackmailed by opportunistic criminals. "Now you can tie pictures, possibly nude pictures, to an identity. This opens a person up to new blackmail schemes," warned Svensson.

Talking about the kinds of photos that were accessible in their tests, Diachenko said: "I didn't see much of them, only a couple, to confirm the theory. But some were of pretty private nature."

Half fixed problem?

Over recent months, the researchers have been in touch with Ashley Madison's security team, praising the dating site for taking a proactive approach in addressing the problems. One update saw a limit placed on how many keys a user can send out, which should stop anyone trying to access a large number of private photos at speed, according to the researchers. Svensson said the company had added "anomaly detection" to flag possible abuses of the feature.

But the company chose not to change the default setting that sees private keys shared with anyone who hands out their own. That might come across as an odd decision, given Ashley Madison owner Ruby Life has the feature off by default on two of its other sites, Cougar Life and Established Men.

Users can save themselves. Whilst by default the option to share private photos with anyone who've granted access to their images is turned on, users can turn it off with the simple click of a button in settings. But oftentimes it appears users haven't switched sharing off. In their tests, the researchers gave a private key to a random sample of users who had private pictures. Nearly two-thirds (64%) shared their private key.

In an emailed statement, Ruby Life chief information security officer Matthew Maglieri said the company was happy to work with Svensson on the issues. "We can confirm that his findings were corrected and that we have no evidence that any user images were compromised and/or shared outside of the normal course of our member interaction," Maglieri said.

"We do know our work is not finished. As part of our ongoing efforts, we work closely with the security research community to proactively identify opportunities to improve the security and privacy controls for our members, and we maintain an active bug bounty program through our partnership with HackerOne.

"All product features are transparent and allow our members total control over the management of their privacy settings and user experience."

Svensson, who believes Ashley Madison should remove the auto-sharing feature entirely, said it appeared the ability to run brute force attacks had likely been around for a long time. "The issues that allowed for this attack method are due to long-standing business decisions," he told .

"Maybe the [2015 hack] should have caused them to re-think their assumptions. Sadly, they knew that pictures could be accessed without authentication and relied on security through obscurity."



Follow Us on Twitter

Ashley Madison photos private youd think researchers warn another Fappening.

Related stories with Ashley Madison Caught Exposing Cheaters' Private Photos

Navy offers job in private company to transgender ex-sailor -World News
Navy offers job in private company to transgender ex-sailor 6 days ago
The navy on Wednesday offered a job in a private company, which works for the government, to a transgender ex-sailor who was removed from service after she underwent a sex change surgery to become a female.
Next-Gen Land Rover Defender Caught Testing -World News
Next-Gen Land Rover Defender Caught Testing 6 days ago
A test mule of the next-gen Land Rover Defender off-roader has been spotted testing. The design language and silhouette of the SUV is largely in contrast with the old-gen model and will be more in...
Centre offers to help private, state-run engineering colleges hire 'quality' teachers -World News
Centre offers to help private, state-run engineering colleges hire 'quality' teachers 6 days ago
There are concerns that hundreds of engineering colleges are struggling to fill their total capacity and most students passing out of those are unemployable.
Jail, fine for man who took obscene videos and photos of 33 men in public toilets -World News
Jail, fine for man who took obscene videos and photos of 33 men in public toilets 6 days ago
December 06, 2017 7:32 PMSINGAPORE - Using his mobile phone, a sales executive captured obscene videos and photographs of 33 men in public toilets without their knowledge.
Pensioner caught with ‘paedophile manual’ and child porn faces jail -World News
Pensioner caught with ‘paedophile manual’ and child porn faces jail 6 days ago
He also admitted arranging or facilitating the commission sex with an 11-year-old child.
Caught on camera: 4 men fight, throw chairs at Peninsula Excelsior Hotel, police investigating -World News
Caught on camera: 4 men fight, throw chairs at Peninsula Excelsior Hotel, police investigating 6 days ago
December 06, 2017 2:59 PMSINGAPORE - Four men were captured on video fighting at Peninsula Excelsior Hotel, with the police investigating the matter.
In photos: The Babri Masjid demolition -World News
In photos: The Babri Masjid demolition 6 days ago
Veteran BJP leader LK Advani, among others, who were charged with criminal conspiracy to demolish the Babri Masjid.
WWE Title Match Takes Place After 205 Live, New Hideo Itami Video, WWE Roster at Tribute to Troops (Photos) -World News
WWE Title Match Takes Place After 205 Live, New Hideo Itami Video, WWE Roster at Tribute to Troops (Photos) 6 days ago
WWE Title Match Takes Place After 205 Live, New Hideo Itami Video hyping 205 Live Debut, WWE Roster at Tribute to Troops (Photos)!
Haunting Photos Of Zombie-Like Londoners Remind Us To Take A Break From Our Phones -World News
Haunting Photos Of Zombie-Like Londoners Remind Us To Take A Break From Our Phones 6 days ago
'My intention is to bring them back into our world.'
Gov't to set up public-private team for info sharing during disasters -World News
Gov't to set up public-private team for info sharing during disasters 6 days ago
Japan's Cabinet Office will arrange by March for the formation of a public-private team in times of natural disaster to collect and digitize information on damage and relief…
Danny Masterson and Bijou Phillips' Private World Hit by Scandal: Inside Their Relationship With Each Other and Scientology -World News
Danny Masterson and Bijou Phillips' Private World Hit by Scandal: Inside Their Relationship With Each Other and Scientology 6 days ago
Actor has been fired from the Netflix show The Ranch in the wake of years-old rape allegations—which he has adamantly denied