Attacks/Breaches

9/8/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ashley Madison Guilty Of Hard-Coded Creds, Weak Bot Detection

Researchers find Amazon Web Services credentials in the source code and honeypot email addresses in the leaked user database.

Bad coding may have contributed to the doxing attack at Avid Life Media -- parent company of Ashley Madison, a dating site for people seeking extramarital affairs -- and insufficient bot detection may mean that people who've never even heard of Ashley Madison will find themselves on the leaked database. 

Researchers have found that ALM hard-coded a variety of credentials into its source code, which may have helped enable the attack. Also, ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals' email addresses -- and dozens of addresses owned by Trend Micro honeypots -- may have been used to create Ashley Madison profiles without their knowledge.

That's bad news for those whose emails are on the list, because they're being targeted by a variety of penny-ante extortion schemes looking to squeeze victims for a Bitcoin here, a Bitcoin there.

Trend Micro last week reported that it had seen criminals hitting up victims for Bitcoin using a variety of tactics. The business model is similar to that used by ransomware operators: small ransoms, lots of targets.

Some messages threatened standard extortion -- the attacker stating that they'd not only gotten the target's Ashley Madison profile, but hacked their Facebook account as well, and if the target did not pay up, they'd expose the victim's Ashley Madison profile info to their family and friends list. This message requested "exactly 1.05 BTC" (about $257 US) in payment. As of Sep. 1, Cloudmark researchers estimated that this message had already netted approximately $6,400.

Another message purported to be from Impact Team -- the group that's taken credit for the attack. The message stated that there would be yet another data dump forthcoming, which would include profile photos, messages between members, and more. With a neighborly tone, stating, "We apologize as the members of the site were not our intended targets it was company itself," it offered recipients the opportunity to completely redact their profile before the next leak, for the price of 1.15 BTC (about $281 US).

A third message claimed to be raising money for a class action lawsuit against Ashley Madison, and sends users to a website to sign up and donate.

In a blog post today, Trend Micro said it received some of these messages in the inboxes of dozens of addresses used by their honeypots, despite the fact that Trend Micro had never knowingly used those addresses to create Ashley Madison accounts.

Threat research manager Ryan Flores gathered 130 accounts that share the same signupip as the honeypot emails and believes they may have been generated by forum/comment spammers and third-party "profile creators" hired by Ashley Madison to help them build markets in new countries. He doesn't think Ashley Madison itself directly created these false accounts because only about 10 percent of the profiles claimed to be female.

He deduced that while some may have been generated by spambots, humans must have created others, including account clusters in Brazil and Korea -- a cluster being a group of accounts, all created from one IP address, within minutes of one another -- because the birthdates and usernames of the profiles were not as random as a bot would generally create.

This would be less problematic if the breach had never occurred in the first place. Yet, according to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only."

"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari wrote.

One thing Ashley Madison's security team did do right was encrypt users' passwords. However, researchers at Avast! have begun decrypting some of the weakest passwords in the database, using bcrypt. After two weeks of runtime, Avast says the CPU crack is about 4.8% complete, and the GPU crack is only about 0.0008% complete. So far, at least some of Ashley Madison's users have shown to be just as reckless creating passwords for highly sensitive sites as they are for others. The top five passwords (of those that could be cracked by bcrypt) are, in order of most to least, "123456," "password," "12345," "12345678," and "qwerty."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2015 | 11:09:14 AM
Re: Security
Embarrassing and unprofessional. Seriously, hard coding credentials, tokens and SSL certs?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/9/2015 | 7:32:15 AM
Security
The security, or lack thereof at AVL and Ashley Madison is really embarassing. It shows that when crafting a service you need people who are well versed in web security there from the get go. You cannot build a system and hire a security pro later. 
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.
CVE-2018-10350
PUBLISHED: 2018-05-25
A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs_bwlists_handler.php. Authentication is requi...
CVE-2018-6232
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x22205C by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6233
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222060 by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6234
PUBLISHED: 2018-05-25
An Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first o...