Attacks/Breaches

9/8/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ashley Madison Guilty Of Hard-Coded Creds, Weak Bot Detection

Researchers find Amazon Web Services credentials in the source code and honeypot email addresses in the leaked user database.

Bad coding may have contributed to the doxing attack at Avid Life Media -- parent company of Ashley Madison, a dating site for people seeking extramarital affairs -- and insufficient bot detection may mean that people who've never even heard of Ashley Madison will find themselves on the leaked database. 

Researchers have found that ALM hard-coded a variety of credentials into its source code, which may have helped enable the attack. Also, ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals' email addresses -- and dozens of addresses owned by Trend Micro honeypots -- may have been used to create Ashley Madison profiles without their knowledge.

That's bad news for those whose emails are on the list, because they're being targeted by a variety of penny-ante extortion schemes looking to squeeze victims for a Bitcoin here, a Bitcoin there.

Trend Micro last week reported that it had seen criminals hitting up victims for Bitcoin using a variety of tactics. The business model is similar to that used by ransomware operators: small ransoms, lots of targets.

Some messages threatened standard extortion -- the attacker stating that they'd not only gotten the target's Ashley Madison profile, but hacked their Facebook account as well, and if the target did not pay up, they'd expose the victim's Ashley Madison profile info to their family and friends list. This message requested "exactly 1.05 BTC" (about $257 US) in payment. As of Sep. 1, Cloudmark researchers estimated that this message had already netted approximately $6,400.

Another message purported to be from Impact Team -- the group that's taken credit for the attack. The message stated that there would be yet another data dump forthcoming, which would include profile photos, messages between members, and more. With a neighborly tone, stating, "We apologize as the members of the site were not our intended targets it was company itself," it offered recipients the opportunity to completely redact their profile before the next leak, for the price of 1.15 BTC (about $281 US).

A third message claimed to be raising money for a class action lawsuit against Ashley Madison, and sends users to a website to sign up and donate.

In a blog post today, Trend Micro said it received some of these messages in the inboxes of dozens of addresses used by their honeypots, despite the fact that Trend Micro had never knowingly used those addresses to create Ashley Madison accounts.

Threat research manager Ryan Flores gathered 130 accounts that share the same signupip as the honeypot emails and believes they may have been generated by forum/comment spammers and third-party "profile creators" hired by Ashley Madison to help them build markets in new countries. He doesn't think Ashley Madison itself directly created these false accounts because only about 10 percent of the profiles claimed to be female.

He deduced that while some may have been generated by spambots, humans must have created others, including account clusters in Brazil and Korea -- a cluster being a group of accounts, all created from one IP address, within minutes of one another -- because the birthdates and usernames of the profiles were not as random as a bot would generally create.

This would be less problematic if the breach had never occurred in the first place. Yet, according to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only."

"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari wrote.

One thing Ashley Madison's security team did do right was encrypt users' passwords. However, researchers at Avast! have begun decrypting some of the weakest passwords in the database, using bcrypt. After two weeks of runtime, Avast says the CPU crack is about 4.8% complete, and the GPU crack is only about 0.0008% complete. So far, at least some of Ashley Madison's users have shown to be just as reckless creating passwords for highly sensitive sites as they are for others. The top five passwords (of those that could be cracked by bcrypt) are, in order of most to least, "123456," "password," "12345," "12345678," and "qwerty."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2015 | 11:09:14 AM
Re: Security
Embarrassing and unprofessional. Seriously, hard coding credentials, tokens and SSL certs?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/9/2015 | 7:32:15 AM
Security
The security, or lack thereof at AVL and Ashley Madison is really embarassing. It shows that when crafting a service you need people who are well versed in web security there from the get go. You cannot build a system and hire a security pro later. 
FTC Opens Probe into Equifax Data Breach
Jai Vijayan, Freelance writer,  9/14/2017
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.