Security Flaw Let Team Hack 11m ‘Uncrackable’ Ashley Madison Passwords
The recent Ashley Madison hack sparked a frenzy amongst security researchers, with teams around the world rushing to analyse the data after it was released online.
One thing researchers noted was that the Canada-based company had in fact stored its customer’s passwords using bcrypt hashes, making it almost impossible for anyone to decode all 36m leaked passwords.
Since the leak, there have been a number of researchers trying to see how many passwords they could break – earlier in the week Avast released its list of the worst passwords they cracked from the Ashley Madison data dump.
And while it was widely thought it would take years to crack a substantial number of the passwords, cracking group CynoSure Prime claim to have used a new method, and cracked 11m of the 36m passwords.
As they said, because the developers used a cost factor of 12 for the bcrypt hash, cracking the passwords was thought to be an extremely compute intensive task.
In a blog post published yesterday, CynoSure Prime explained how they discovered two Ashley Madison programming errors that apparently allowed them to crack millions of the “uncrackable” passwords.
The password-cracking group focused on inspecting the second leak of git dumps, due to the lack of information available about the site’s $loginkey variable.
After learning that they could exploit two functions related to the methods of $loginkey generation, they were able to gain “enormous speed boosts” in hacking the passwords.
In a blog post, the company said: “Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5(lc($username).”::”.lc($pass)) and md5(lc($username).”::”.lc($pass).”:”.lc($email).”:73@^bhhs&#@&^@8@*$”) tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart.
“The $loginkey variable seemed to be used for automatic login, but we didn’t spend much time investigating further. It was generated upon user account creation and was re-generated when the user modified their account details including username, password and email address.”
As Dan Goodin from Ars Technica said: “The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.”
Read more about the cracking team’s discovery here.