Ashley Madison has flaw that gives undue access to private photos

Brazil is the 2nd country with the most users on the Ashley Madison betrayal site

A new security breach promises to cause headaches for users of Ashley Madison, the dating site aimed at betrayals and hops. Researchers have found that photos published and marked as private can be easily accessed by anyone who has the file’s URL, even if they do not have accounts on the service.

All safety tips

These images, in theory, would be blocked by a key that should only be shared with the owner’s express authorization, but the platform configuration gives it automatically when another user supplies yours.

1 of 2 Ashley Madison – Photo: Disclosure / Ashley Madison

Ashley Madison – Photo: Disclosure / Ashley Madison

The discovery was made by security researcher Matt Svensson, and involves the way the site itself handles file storage. By default, Ashley Madison has two types of photos: public images can be seen by everyone, while private ones are protected by a security key, which must be released by the owner for other users to access.

The problem occurs in the site settings, which, by default, release a user’s key to any account that shares their first. This means that it is easy for one person to access another’s private content without them knowing it.

To prove the relevance of the problem, the researchers created a program that automatically sent their own key to a random portion of about 1 million users who had private photos and found that 64% of them returned their own keys automatically.

2 of 2 Ashley Madison options make it easy to access private photos – Photo: Playback / MacKeeper

Ashley Madison options make it easy to access private photos – Photo: Playback / MacKeeper

The same tool is available on two other websites from Avid Life Media, the developer responsible for Ashley Madison, but is disabled by default. The company was informed of the problem and replied that it is part of the way it intends the site to operate and has refused to change the option, although it has limited the number of keys that can be shared per day.

This, however, is not the only vulnerability found in Ashley Madison’s photo system. The URL of the images is not protected and can be accessed by anyone who has the address, even if the person is not a user of the site. The only form of protection is a change in the file name, which now has 32 characters, which makes it difficult to discover photos by chance.

Ashley Madison became known in 2015, after the leak of a package with more than 32 GB of data from more than 32 million users, which included identification data and credit cards – causing the end of marriages.