Ashley Madison Guilty Of Hard-Coded Creds, Weak Bot DetectionResearchers find Amazon Web Services credentials in the source code and honeypot email addresses in the leaked user database.
Bad coding may have contributed to the doxing attack at Avid Life Media -- parent company of Ashley Madison, a dating site for people seeking extramarital affairs -- and insufficient bot detection may mean that people who've never even heard of Ashley Madison will find themselves on the leaked database.
Researchers have found that ALM hard-coded a variety of credentials into its source code, which may have helped enable the attack. Also, ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals' email addresses -- and dozens of addresses owned by Trend Micro honeypots -- may have been used to create Ashley Madison profiles without their knowledge.
That's bad news for those whose emails are on the list, because they're being targeted by a variety of penny-ante extortion schemes looking to squeeze victims for a Bitcoin here, a Bitcoin there.
Trend Micro last week reported that it had seen criminals hitting up victims for Bitcoin using a variety of tactics. The business model is similar to that used by ransomware operators: small ransoms, lots of targets.
Some messages threatened standard extortion -- the attacker stating that they'd not only gotten the target's Ashley Madison profile, but hacked their Facebook account as well, and if the target did not pay up, they'd expose the victim's Ashley Madison profile info to their family and friends list. This message requested "exactly 1.05 BTC" (about $257 US) in payment. As of Sep. 1, Cloudmark researchers estimated that this message had already netted approximately $6,400.
Another message purported to be from Impact Team -- the group that's taken credit for the attack. The message stated that there would be yet another data dump forthcoming, which would include profile photos, messages between members, and more. With a neighborly tone, stating, "We apologize as the members of the site were not our intended targets it was company itself," it offered recipients the opportunity to completely redact their profile before the next leak, for the price of 1.15 BTC (about $281 US).
A third message claimed to be raising money for a class action lawsuit against Ashley Madison, and sends users to a website to sign up and donate.
In a blog post today, Trend Micro said it received some of these messages in the inboxes of dozens of addresses used by their honeypots, despite the fact that Trend Micro had never knowingly used those addresses to create Ashley Madison accounts.
Threat research manager Ryan Flores gathered 130 accounts that share the same signupip as the honeypot emails and believes they may have been generated by forum/comment spammers and third-party "profile creators" hired by Ashley Madison to help them build markets in new countries. He doesn't think Ashley Madison itself directly created these false accounts because only about 10 percent of the profiles claimed to be female.
He deduced that while some may have been generated by spambots, humans must have created others, including account clusters in Brazil and Korea -- a cluster being a group of accounts, all created from one IP address, within minutes of one another -- because the birthdates and usernames of the profiles were not as random as a bot would generally create.
This would be less problematic if the breach had never occurred in the first place. Yet, according to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only."
"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari wrote.
One thing Ashley Madison's security team did do right was encrypt users' passwords. However, researchers at Avast! have begun decrypting some of the weakest passwords in the database, using bcrypt. After two weeks of runtime, Avast says the CPU crack is about 4.8% complete, and the GPU crack is only about 0.0008% complete. So far, at least some of Ashley Madison's users have shown to be just as reckless creating passwords for highly sensitive sites as they are for others. The top five passwords (of those that could be cracked by bcrypt) are, in order of most to least, "123456," "password," "12345," "12345678," and "qwerty."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio