In 2015, cheating site Ashley Madison suffered a data breach in which personal data of 37 million users was stolen and then sold on dark web marketplaces. The effect of it was so devastating that a retired police captain of the City of San Antonio police department committed suicide after his official email address was found in the leaked data.
After the incident, the logical perception was that it’s the end of Ashley Madison, but now it turned out that the site is still immensely popular among cheaters surfing for fun. For those cheaters, there’s bad news. According to IT security researchers, the website has been exposing personal data of users including private and explicit photos due to its flawed default security settings.
Ashley Madison works in a way that it has two kinds of photo sharing options, one is for public view and the other lets users keep their photos private that is protected by a key. The only way one can access someone’s private pictures on the site is by receiving that key from the user.
However, in a joint investigation by The Kromtech Security team and independent security researcher Matt Svensson, it was identified that Ashley Madison’s default settings are sharing one user’s key with another user if they share their key with them. Simply put, if you share your key with someone, their key will be automatically shared with you and vice-versa. That’s not it; once the key is accessed, a user can view photos through a URL while those who never signed up to Ashley Madison can access these pictures without authentication.
It’s true that this is not a vulnerability but aftermath of going with default settings or “tyranny of the default” as stated by researchers. To prove their point, researchers carried out a test by giving “a private key to a random sample of users that had private pictures” and concluded that “26% of users had private pictures while 64% of users accounts that had private pictures automatically returned their key.”
The security researchers contacted Ashley Madison’s parent company with their findings, and for now, the amount of daily key exchanges has been limited, but the company does not agree with findings and sees the automatic key exchange as an intended feature. Therefore, if you have an account with Ashley Madison, your private photos might not be as secure as you thought.