Ashley Madison's Private Picture Aren't That Private
Back in October, I have received a heads up from independent security researcher, Matt Svensson, who was in the middle of his investigation related to Ashley Madison (AM) and a logical flaw in their default settings that allows access to large amount of users' private photos.
We partnered together to work out the attack vectors and impact and privately disclosed the issues to AM parent company who worked hard to address all the privacy concerns. The following report is the result of our joint efforts.
Ashley Madison, the online cheating site that was hacked two years ago, is still exposing its users' data. This time, it is because of poor technical and logical implementations.
As a result, approximately 64% of Ashley Madison (AM) private, often explicit, pictures are accessible. This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year's leak of names and addresses.
Let's look at how "Sarah" and "Jim," two hypothetical users on AM, can have their privacy broken.
AM has two types of pictures, public and private, neither of which are required. Public pictures are viewable by any AM user. Private pictures are secured by a "key." Sarah can send her key to Jim so he can see her pictures. Jim can request Sarah's key, requiring her explicit approval. Sarah can also revoke Jim's key, restricting his access.
This structure makes sense but, two issues open the door to problems:
- By default, AM will automatically share Sarah's key with Jim if he shares his key with her.
- Pictures can be accessed, without authentication, by directly accessing its URL.
To protect her privacy, Sarah created a generic username, unlike any others she uses and made all of her pictures private. She has denied two key requests because the people did not seem trustworthy. Jim skipped the request to Sarah and simply sent her his key. By default, AM will automatically give Jim Sarah's key.
That's right, Jim can now see all of Sarah's private pictures, rated (aka explicit) and non-rated.
How does this happen? When adding a picture, the box to share your private pictures is already checked. If you keep this box checked, it will apply the same setting to additional pictures of the same type (public or private).
There are two issues with this implementation. First, few understand the implications nor think through the way it could be exploited. Second, as Steve Gibson would put it, is the "tyranny of the default." As he explains it, "whatever the default settings are, most of the time that's what they end up being forever." People will simply click through the options, leaving them as recommended. The only way to change this configuration is to go deep into the settings page.
Let's go back to our metaphorical users. Sarah will at least get an email saying that she received Jim's key and can go to AM to validate the interaction and revoke the key Jim was given.
During testing, less than 1% of users revoked their key after it had been given. It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random AM user seeing their private pictures.
Thosethose that revoked their key, access is now denied.
Actually, that's not 100% true. Once Jim is granted access to Sarah's pictures, he is able to see the link, e.g. https://photo-cdn.ashleymadison.com/[picture_name]. Not only can he access the picture, with this link, anyone can access the picture without authentication, AM user or not. While the picture URL is too long to brute-force (32 characters), AM's reliance on "security through obscurity" opened the door to persistent access to users' private pictures, even after AM was told to deny someone access.
In order to prove the validity of this issue, we wrote a program to iterate through all IDs, aka profile numbers, (0-99,999,999) and gave a private key to a random sample of users that had private pictures. Based on this random sampling:
AM's parent company, Ruby, also controls two other sites, Established Men and Cougar Life. Both of these sites also have automatic key exchange and require no authentication to directly access picture URLs; however, they at least force a user to pick if they want to enable sharing by default instead of defaulting it on and requiring a user to uncheck the box.
The implications of these issues are many.