Attacks/Breaches
9/8/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ashley Madison Guilty Of Hard-Coded Creds, Weak Bot Detection

Researchers find Amazon Web Services credentials in the source code and honeypot email addresses in the leaked user database.

Bad coding may have contributed to the doxing attack at Avid Life Media -- parent company of Ashley Madison, a dating site for people seeking extramarital affairs -- and insufficient bot detection may mean that people who've never even heard of Ashley Madison will find themselves on the leaked database. 

Researchers have found that ALM hard-coded a variety of credentials into its source code, which may have helped enable the attack. Also, ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals' email addresses -- and dozens of addresses owned by Trend Micro honeypots -- may have been used to create Ashley Madison profiles without their knowledge.

That's bad news for those whose emails are on the list, because they're being targeted by a variety of penny-ante extortion schemes looking to squeeze victims for a Bitcoin here, a Bitcoin there.

Trend Micro last week reported that it had seen criminals hitting up victims for Bitcoin using a variety of tactics. The business model is similar to that used by ransomware operators: small ransoms, lots of targets.

Some messages threatened standard extortion -- the attacker stating that they'd not only gotten the target's Ashley Madison profile, but hacked their Facebook account as well, and if the target did not pay up, they'd expose the victim's Ashley Madison profile info to their family and friends list. This message requested "exactly 1.05 BTC" (about $257 US) in payment. As of Sep. 1, Cloudmark researchers estimated that this message had already netted approximately $6,400.

Another message purported to be from Impact Team -- the group that's taken credit for the attack. The message stated that there would be yet another data dump forthcoming, which would include profile photos, messages between members, and more. With a neighborly tone, stating, "We apologize as the members of the site were not our intended targets it was company itself," it offered recipients the opportunity to completely redact their profile before the next leak, for the price of 1.15 BTC (about $281 US).

A third message claimed to be raising money for a class action lawsuit against Ashley Madison, and sends users to a website to sign up and donate.

In a blog post today, Trend Micro said it received some of these messages in the inboxes of dozens of addresses used by their honeypots, despite the fact that Trend Micro had never knowingly used those addresses to create Ashley Madison accounts.

Threat research manager Ryan Flores gathered 130 accounts that share the same signupip as the honeypot emails and believes they may have been generated by forum/comment spammers and third-party "profile creators" hired by Ashley Madison to help them build markets in new countries. He doesn't think Ashley Madison itself directly created these false accounts because only about 10 percent of the profiles claimed to be female.

He deduced that while some may have been generated by spambots, humans must have created others, including account clusters in Brazil and Korea -- a cluster being a group of accounts, all created from one IP address, within minutes of one another -- because the birthdates and usernames of the profiles were not as random as a bot would generally create.

This would be less problematic if the breach had never occurred in the first place. Yet, according to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only."

"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari wrote.

One thing Ashley Madison's security team did do right was encrypt users' passwords. However, researchers at Avast! have begun decrypting some of the weakest passwords in the database, using bcrypt. After two weeks of runtime, Avast says the CPU crack is about 4.8% complete, and the GPU crack is only about 0.0008% complete. So far, at least some of Ashley Madison's users have shown to be just as reckless creating passwords for highly sensitive sites as they are for others. The top five passwords (of those that could be cracked by bcrypt) are, in order of most to least, "123456," "password," "12345," "12345678," and "qwerty."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2015 | 11:09:14 AM
Re: Security
Embarrassing and unprofessional. Seriously, hard coding credentials, tokens and SSL certs?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/9/2015 | 7:32:15 AM
Security
The security, or lack thereof at AVL and Ashley Madison is really embarassing. It shows that when crafting a service you need people who are well versed in web security there from the get go. You cannot build a system and hire a security pro later. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Experienced reindeers wanted
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.