Menu
Credentials stored in Ashley Madison's source code might have helped attackers

Credentials stored in Ashley Madison's source code might have helped attackers

The company's developers were careless with sensitive credentials and secret keys, a security consultant found.

If you're a company that makes its own websites and applications, make sure your developers don't do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.

Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com's owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company's IT infrastructure.

The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company's now-former CEO and the source code for the company's other online dating websites including CougarLife.com and EstablishedMen.com.

A London-based security consultant named Gabor Szathmari has now found evidence that ALM's developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company's network.

In the leaked ALM source code repositories Szathmari found hard-coded weak database passwords, API access credentials for a cloud-based storage bucket on Amazon's Simple Storage Service (S3), Twitter OAuth tokens, secret tokens for other applications and private keys for SSL certificates.

"The end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure," Szathmari said Monday in a blog post. "Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley."

Szathmari advises all companies to remove sensitive credentials from their source code or Wiki pages. Hard-coding such secrets makes it harder to later change them and potentially exposes them to unwanted people when the source code is committed to internal or external repositories.

The problem is so common that Amazon Web Services (AWS) issued a warning about it last year after thousands of AWS secret keys were found in public source code repositories hosted on GitHub.

Also last year, URL shortening service Bitly suffered a data breach after hackers used a compromised developer account to access the company's source code repository and steal credentials for its offsite database backup that were stored there.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments