Following the Ashley Madison hack, a security blogger noticed an interesting flaw in the site’s system, that would actually confirm whether or not someone was a member.
The flaw was concerned with Ashley Madison’s “Forgot Password” system, a feature that almost every site with user accounts has.
The discovery comes from Microsoft’s MVP for developer security Troy Hunt, and was linked to by Brian Krebs – the security researcher who broke the Ashley Madison story – on Twitter.
a post from @troyhunt details how AshleyMadison responds differently with email addresses tied to known accounts. http://t.co/IYWTIr1ND8
— briankrebs (@briankrebs) July 22, 2015
On most sites, if you input an email address into the “Forgotten Password” box and it doesn’t match with an account on the site’s database, an error comes back saying something like: “Sorry, we didn’t find an account matching that email address.”
However on Ashley Madison – as you would expect from a site offering discreet affairs – this feature doesn’t confirm whether an account exists when you enter an email address.
Instead, it says: “If that email address exists in our database, you will receive an email to that address shortly”.
However despite this, Hunt discovered a noticeable flaw on Ashley Madison that would reveal whether an email address matched to an account, for those that were looking hard enough.
The flaw has since been rectified by Ashley Madison, but other dating sites may want to check they haven’t made the same mistake.
Find out what it is here.