A vulnerability in the way extramarital affairs platform Ashley Madison (AM) handles private photos has been highlighted by security experts this week.
Bob Diachenko, Chief Communications Officer at Kromtech, outlined the ways in which private profiles could be made public in a 6th of December blog post.
Private pictures on the site, Diachenko explains, are accessed via a ‘key’. Users give their key to individual suitors voluntarily, and they can revoke it whenever they wish.
The researchers state that a default setting on the app has created a loophole, however. When user A shares their key with user B, user A automatically receives a copy of user B’s key in return.
To access a user’s private images, therefore, a hacker would simply have to upload some private images on their own profile, and then share these with target profiles.
Approximately 64% of AM users’ private images could be accessed in this way, the blog post states, and this could be particularly damaging when cross-referenced with information from social media.
The setting can be switched off via a checkbox, but anyone using the app’s default preferences is vulnerable to a hack of this kind.
Diachenko and independent analyst Matt Svensson outlined their concerns to AM in October. Since then, a number of steps have been taken to ameliorate the issue.
AM has added anomaly detection to its platform, and is now better able to detect abuses of the access key feature. A limit on the number of keys any one user can send has also been added.
In a statement, Ruby Life (AM’s parent company) Chief Information Security Officer Matthew Maglieri said: “We can confirm that his findings were corrected and that we have no evidence that any user images were compromised and/or shared outside of the normal course of our member interaction”.
He added: “All product features are transparent and allow our members total control over the management of their privacy settings and user experience”.
Read more here.