Ashley Madison users' private and explicit photos are leaking once again. Previously, the site was hacked in 2015, which led to around 32 million users' private details including email addresses and payment data ending up on the dark web. Security experts have now uncovered that the site is still leaking users' sensitive data due to the site's flawed security settings.
Security researchers at Kromtech, working with independent security researcher Matt Svensson, found that the site's security setting designed to share private photos has a major issue. Ashley Madison provides a "key" to users – using this key is the only way that users can view private photos.
However, the security researchers found that a user's key is automatically shared with another user when he/she shares his/her key with him/her. Users can also access these private photos through a URL, although this is too long to brute-force, according to the security researchers. Although users can opt out of automatically sending their private keys, the security researchers found that most users likely do not opt out.
Forbes reported that hackers could potentially set up numerous accounts to start gathering users' photos. "This makes it much easier to brute force," Svensson told Forbes. "Knowing you can create dozens or hundreds of usernames on the same email, you could get access to a few hundred or a couple of thousand users' private pictures per day."
Researchers say that this is because most people are more likely to maintain the default security settings –which the security experts called the "tyranny of the default".
According to Kromtech communications head Bob Diachenko, the Ashley Madison site's flawed security settings not only expose users' private photos but also leave them vulnerable to blackmailers. The leak can also lead to anonymous users' identity being exposed.
"Ashley Madison (AM) users were blackmailed last year, after a leak of users' email addresses and names and addresses of those who used credit cards. Some people used "anonymous" email addresses and never used their credit card, protecting them from that leak. Now, with a high likelihood of access to their private pictures, a new subset of users are exposed to the possibility of blackmail," Diachenko said in a blog. "These, now accessible, pictures can be trivially linked to people by combining them with last year's dump of email addresses and names with this access by matching profile numbers and usernames.
"Exposed private pictures can facilitate deanonymization. Tools like Google Image Search or TinEye can search the internet to try to find the same picture, including on social media sites like Facebook, Instagram, and Twitter. This sites often have your real name, connecting your AM account to your identity."
Although the site's security flaw is not an actual vulnerability, altering the default settings would likely be the simplest way to secure users' data. The researchers conducted a test to determine how many users actually opted to change the default security settings and found that 64% of Ashley Madison accounts that had private photos would automatically share keys.
Ashley Madison was reportedly made aware of the issue by the security researchers but is choosing not to implement security experts' recommendations. Gizmodo reported that Ashley Madison's parent company Avid Life Media "does not agree and sees the automatic key exchange as an intended feature."
However, Diachenko told Gizmodo that while the security flaw was a low-to-medium threat to average users, the threat could be high for users with private photos and those that were affected by the previous leak.
Svensson warned that Ashley Madison users could likely be hit yet another Fappening-like leak.