Ashley Madison Is Still Not Safe For Cheaters

Ashley Madison Is Still Not Safe For Cheaters
AP Photo/Lee Jin-man

Remember that time that a string of celebrities had their private nude images published online? It could happen again, according to cybersecurity firm Kromtech — and this time with regular people.

According to Forbes, Kromtech found that Ashley Madison, a dating site where adulterous spouses can connect with other married people looking for some extramarital action, has left users’ private photos exposed through a logical flaw in its default data settings.

That’s on top of the massive hack that compromised the site in 2015. One would think the 2015 incident had dished up enough bad karma to discourage users from returning, but that has not been the case. They simply came back with higher demands for cybersecurity on the site.

Despite those demands, Ashley Madison has once again let its users down. Kromtech explains the site secures private photos using a “key” which other users can obtain by first sharing their keys — even if the first user declines to share his or her own private key.

In other words, any user can gain access to any other user’s private photos without authorization.

Furthermore, it’s possible to sign up for multiple accounts using the same email address, which Kromtech said makes it all too easy for a hacker to set up a large number of accounts in a short span of time and start acquiring photos at a rate of hundreds or even thousands of users compromised per day.

Then, once the photos have been accessed, all a threat actor would have to do is copy and paste the URL to share those photos with anyone — because, with a direct link, others would not even need an Ashley Madison account to see the photos.

Linking those images to real-world individuals would not be hard, said the researchers. Users may be anonymized, but by crosschecking usernames on other social sites, they were able to connect people to their Ashley Madison accounts.

“Now you can tie pictures, possibly nude pictures, to an identity,” said independent researcher Matt Svensson, who worked with Kromtech on the reveal. “This opens a person up to new blackmail schemes.”