Menu
Credentials stored in Ashley Madison's source code might have helped attackers

Credentials stored in Ashley Madison's source code might have helped attackers

The company's developers were careless with sensitive credentials and secret keys, a security consultant found.

If you're a company that makes its own websites and applications, make sure your developers don't do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.

Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com's owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company's IT infrastructure.

The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company's now-former CEO and the source code for the company's other online dating websites including CougarLife.com and EstablishedMen.com.

A London-based security consultant named Gabor Szathmari has now found evidence that ALM's developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company's network.

In the leaked ALM source code repositories Szathmari found hard-coded weak database passwords, API access credentials for a cloud-based storage bucket on Amazon's Simple Storage Service (S3), Twitter OAuth tokens, secret tokens for other applications and private keys for SSL certificates.

"The end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure," Szathmari said Monday in a blog post. "Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley."

Szathmari advises all companies to remove sensitive credentials from their source code or Wiki pages. Hard-coding such secrets makes it harder to later change them and potentially exposes them to unwanted people when the source code is committed to internal or external repositories.

The problem is so common that Amazon Web Services (AWS) issued a warning about it last year after thousands of AWS secret keys were found in public source code repositories hosted on GitHub.

Also last year, URL shortening service Bitly suffered a data breach after hackers used a compromised developer account to access the company's source code repository and steal credentials for its offsite database backup that were stored there.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments