Ashley Madison developers not big on security

Just a ten minutes long browsing session of the leaked Ashley Madison source code revealed to infosec consultant Gabor Szathmari a number of security mistakes that have likely helped the attackers move within the company’s networks.

“One of the security risks of software development is passwords and other credentials hard-coded into the source code. It not only makes password rotation painful, but also exposes the secrets to unwanted people once the code is commited into a source code repository,” he explained in a blog post.

Unfortunately for Ashley Madison and their compromised sites’ users, the software developers employed by the company made those exact mistakes.

Among the things that Szathmari found in the code are database passwords (and poor ones, at that), AWS credentials, Twitter OAuth tokens, application specific tokens, and private keys of SSL certificates.

“Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley [Madison],” he pointed out, and advised developers to never ever store sensitive data in their source code tree, and to never use weak database credentials.

Weak credentials, in general, is how many companies ultimately get hacked. Even employees of companies such as Hacking Team, who should know better, have ultimately let attackers in by using simple, easy to guess passwords.

Szathmari says this would be a good time for site admins to check their source code repository and their Wiki pages for sensitive data, and remove it if found.