Ashley Madison made dumb security mistakes, researcher says

Life is short. Have an affair. Write insecure software

Application tokens in the Ashley Madison dump
Some of the application-specific tokens Szathmari found in the Ashley Madison code

A “ten minute search” by a security bod has provided some hints about the coding errors that might lie behind the now-infamous Ashley Madison hack.

While the author doesn't make the specific claim that these mistakes lie behind the Ashley Madison hack, it hints at the kind of inattention that opens sites to attack.

The London-based blogger, security consultant Gabor Szathmari, writes that the Ashley Madison source code “contains AWS tokens, database credentials, certificate private keys and other secret credentials”.

In particular, Szathmari singles out the AWS tokens as a serious risk, since once the Impact Team had made its initial breach, “lateral movement” between systems would be easier and probably helped lead to the full breach.

The developers also seemed to share World+Dog's dislike for long passwords, since Szathmari says he found many database credentials between 5 and 8 characters long, with only two character classes.

Other dumb mistakes included Twitter OAuth credentials, the private keys of SSL certificates, and various application-specific tokens, all stupid things to store in-code.

The Register expects that the lawyers now slinging sue-balls at Ashley Madison, as well as AWS and GoDaddy, will be looking for hired guns to comb the code-base for themselves.

If you happen to be a site operator, it might be a good time to check your own code tree. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017