Ashley Madison Is In Trouble Again, This Time For Exposing Users’ Private Pics

Life’s short, have an affair. But for the love of two-timing tricksters everywhere, don’t do it on Ashley Madison.

Following the catastrophic hack that hit the company in 2015, the dating site for extramarital action is in hot water again - this time for exposing a large portion of its cheating clientele’s private photos.

A team of security researchers has revealed that “poor technical and logical implementations” has left many images from Ashley Madison users vulnerable to exposure online. Due to these flaws, they wrote in a report, approximately 64% of the site’s private (and often explicit) pictures are accessible.

Ashley Madison users may post two kinds of photos, public and private. Public pictures are viewable by any other users on the site, while private photos can only be accessed if their owner sends a “key” to unlock them. A user can request a key, but all requests must be approved by the owner of the photos for access to be granted. Should they wish to restrict access later, an owner can revoke a key at any time.

The system makes sense on the surface, but Bob Diachenko from cybersecurity firm Kromtech and independent researcher Matt Svensson have discovered two glaring flaws.

First, Ashley Madison automatically shares keys between users. If User A shares their key with User B, User B’s key is by default shared with User A. Someone who wishes to see another member’s private images can skip the request entirely by simply sending their own key and waiting for the site to grant them access.

"This makes it much easier to brute force," said Svensson. "Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or couple of thousand users' private pictures per day."

The problem, fortunately, is not permanent. When adding a new image, users are presented with the option to automatically share their private photos when they receive a key. The box is checked by default, which many users may not notice or fully understand the implications of, but the configuration can be changed on the settings page under ‘Profile Options.’

The second issue uncovered by Diachenko and Svensson is that all private pictures can be accessed with no authentication by directly inputting the URL. A user who is granted access can easily copy and save the links, which can be accessed even if the user’s key is later revoked. In fact, anyone who has the URL - whether or not they’re an Ashley Madison member - can see the photo.

“This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year’s leak of names and addresses,” the researchers warn. The potential consequences are enormous if a clever criminal could tie explicit pictures to an identity exposed in an earlier hack.

According to Forbes, Ashley Madison implemented a limit on how many keys a user can send out after Diachenko and Svensson shared their findings. The company also added "anomaly detection" to flag possible abuses of the feature, however the automatic sharing of private keys remains the default setting for photos.