Ashley Madison's source code reveals poor security practices

Security credentials hard coded into repositories could have helped hackers, according to research by security consultant Gabor Szathmari.

Shh! Don't tell anyone the password
Shh! Don't tell anyone the password

A security consultant has discovered security credentials such as database passwords, API secrets, authentication tokens and SSL private keys hard coded into Ashley Madison's source code.

According to London-based security consultant Gabor Szathmari, the firm behind the adultery website, Avid Life Media, also failed to use either CAPTCHAs or email verification to screen out bots during the account creation process.

In a blog post, Szathmari said that the “end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure”.

"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari said.

The consultant also unearthed many examples of database credentials between five and eight characters long with only two character classes. This would make the job of guessing such passwords very easy.

Szathmari also found Twitter OAuth credentials, the private keys of SSL certificates, and various application-specific tokens store within the code. All this detail was found with just a 10-minute search of the repository.

He advised organisations to never store sensitive data within a source code tree nor use weak database credentials. He also advised removing such information from wiki pages as well.

The leak so far has led to the departure of Avid Life Media's chief executive Noel Biderman, leaving the company run by the senior management team.

With the CEO gone, questions have been raised about who's responsibility it is to ensure security of the website and its underlying code and infrastructure.

“Security is everyone's responsibility!  Top to bottom everyone needs to do their part and unless that happens, the organisation will continue to have blind spots,” TK Keanini, CTO at Lancope told SCMagazineUK.com.

He added that getting threat modelling and security built into the development cycle early, and often, is the only solution.

“Even then, flaws will get through as we have seen with the most advanced services on the internet.   You can improve, but never believe that you are 100 percent secure as you are dealing with a talented and active threat actor who spends their week trying to compromise your business while you only spend a portion of that time trying to secure it,” he said.

Joe Schorr, director of Advanced Security Solutions at Bomgar told SC that hard-coding credentials like this fixes one problem and makes things easier operationally, but opens up a Pandora's box of security implications that is far bigger and with more potential for mis-use. Instead, organisations should manage their credentials in a proactive way, he said.

“Once you have credentials to get inside the network, a hacker can then cross over to other assets that might contain sensitive data or financial information.

“To prevent this, users should only be able to see assets that are specifically related to their role. If third parties are allowed access, then they should not be able to see any assets beyond what they are being brought in to fix,” he said.