Back in October, I have received a heads up from independent security researcher, Matt Svensson, who was in the middle of his investigation related to Ashley Madison (AM) and a logical flaw in their default settings that allows access to large amount of users' private photos. We partnered together to work out the attack vectors and impact and privately disclosed the issues to AM parent company who worked hard to address all the privacy concerns. The following report is the result of our joint efforts. Ashley Madison, the online cheating site that was hacked two years ago, is still exposing its users' data. This time, it is because of poor technical and logical implementations. As a result, approximately 64% of Ashley Madison (AM) private, often explicit, pictures are accessible. This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year's leak of names and addresses. Let's look at how "Sarah" and "Jim," two hypothetical users on AM, can have their privacy broken. AM has two types of pictures, public and private, neither of which are required. Public pictures are viewable by any AM user. Private pictures are secured by a "key." Sarah can send her key to Jim so he can see her pictures. Jim can request Sarah's key, requiring her explicit approval. Sarah can also revoke Jim's key, restricting his access. This structure makes sense but, two issues open the door to problems: - By default, AM will automatically share Sarah's key with Jim if he shares his key with her. - Pictures can be accessed, without authentication, by directly accessing its URL. To protect her privacy, Sarah created a generic username, unlike any others she uses and made all of her pictures private. She has denied two key requests because the people did not seem trustworthy. Jim skipped the request to Sarah and simply sent her his key. By default, AM will automatically give Jim Sarah's key. That's right, Jim can now see all of Sarah's private pictures, rated (aka explicit) and non-rated. How does this happen? When adding a picture, the box to share your private pictures is already checked. If you keep this box checked, it will apply the same setting to additional pictures of the same type (public or private). There are two issues with this implementation. First, few understand the implications nor think through the way it could be exploited. Second, as Steve Gibson would put it, is the "tyranny of the default." As he explains it, "whatever the default settings are, most of the time that's what they end up being forever." People will simply click through the options, leaving them as recommended. The only way to change this configuration is to go deep into the settings page. Let's go back to our metaphorical users. Sarah will at least get an email saying that she received Jim's key and can go to AM to validate the interaction and revoke the key Jim was given. During testing, less than 1% of users revoked their key after it had been given. It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random AM user seeing their private pictures. Thosethose that revoked their key, access is now denied. Actually, that's not 100% true. Once Jim is granted access to Sarah's pictures, he is able to see the link, e.g. https://photo-cdn.ashleymadison.com/[picture_name]. Not only can he access the picture, with this link, anyone can access the picture without authentication, AM user or not. While the picture URL is too long to brute-force (32 characters), AM's reliance on "security through obscurity" opened the door to persistent access to users' private pictures, even after AM was told to deny someone access. Data Leakage In order to prove the validity of this issue, we wrote a program to iterate through all IDs, aka profile numbers, (0-99,999,999) and gave a private key to a random sample of users that had private pictures. Based on this random sampling: 26% of users had private pictures 64% of users accounts that had private pictures automatically returned their key AM's parent company, Ruby, also controls two other sites, Established Men and Cougar Life. Both of these sites also have automatic key exchange and require no authentication to directly access picture URLs; however, they at least force a user to pick if they want to enable sharing by default instead of defaulting it on and requiring a user to uncheck the box. Implications The implications of these issues are many. At the core, pictures that AM users entrusted them to securely store are exposed. Users can be victims of blackmail. AM users were blackmailed last year, after a leak of users' email addresses and names and addresses of those who used credit cards. Some people used "anonymous" email addresses and never used their credit card, protecting them from that leak. Now, with a high likelihood of access to their private pictures, a new subset of users are exposed to the possibility of blackmail. These, now accessible, pictures can be trivially linked to people by combining them with last year's dump of email addresses and names with this access by matching profile numbers and usernames. Exposed private pictures can facilitate deanonymization. Tools like Google Image Search or TinEye can search the internet to try to find the same picture, including on social media sites like Facebook, Instagram, and Twitter. This sites often have your real name, connecting your AM account to your identity. Some users also include their first name in their username, e.g. Sarah1234. With your name, age, location, and now pictures, it can be easy to search Facebook or Google for a matching profile. Recommendations Remove automatic pictures sharing or adjust its logic. In our opinion, Sarah should have to explicitly give Jim permission to her private pictures. AM's parent company does not agree and sees the automatic key exchange as an intended feature. Limit key exchanges. If you limit how many keys a user can send out, you decrase the speed with which they can exploit automatic key sharing across the user base. AM's parent company has completed this. Restrict right-click functionality in the web page. While this is not perfect, it at least raises the difficulty in saving or stealing private pictures. Add authentication to all AM photos. Having pictures accessible, unauthenticated, is negligent. Only allow 1 user account per email address. We were able to create 7 user accounts under the same email address, which lowered the difficulty of conducting the scan of user accounts. Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center. Do you have security tips or suggestions? Contact: firstname.lastname@example.org
Subscribe for the latest security news and discoveries
Thank you for subscribing to our Newsletter. To finish the subscription process, please visit your email.