Ashley Madison made dumb security mistakes, researcher says

A “ten minute search” by a security bod has provided some hints about the coding errors that might lie behind the now-infamous Ashley Madison hack.

While the author doesn't make the specific claim that these mistakes lie behind the Ashley Madison hack, it hints at the kind of inattention that opens sites to attack.

The London-based blogger, security consultant Gabor Szathmari, writes that the Ashley Madison source code “contains AWS tokens, database credentials, certificate private keys and other secret credentials”.

In particular, Szathmari singles out the AWS tokens as a serious risk, since once the Impact Team had made its initial breach, “lateral movement” between systems would be easier and probably helped lead to the full breach.

The developers also seemed to share World+Dog's dislike for long passwords, since Szathmari says he found many database credentials between 5 and 8 characters long, with only two character classes.

Other dumb mistakes included Twitter OAuth credentials, the private keys of SSL certificates, and various application-specific tokens, all stupid things to store in-code.

The Register expects that the lawyers now slinging sue-balls at Ashley Madison, as well as AWS and GoDaddy, will be looking for hired guns to comb the code-base for themselves.

If you happen to be a site operator, it might be a good time to check your own code tree. ®