A flaw in the site's 'password reset' form could be the culprit
+ READ ARTICLEWorried you might be outed as a cheater in the data breach at Ashley Madison?
Turns out the extramarital affairs site, which bills itself as the “world’s leading married dating service for discreet encounters,” had leaky lips anyway. Information about who had an account wasn’t exactly hidden. Or rather, not hidden well.
Troy Hunt, a developer who specializes in security and who runs the site “Have I Been Pwned?”, revealed a flaw affecting the site in a blog post on Monday. The weakness, easily exploited, gave away whether an email address was contained in the site’s database or not; from there, one could infer who may have registered an account on the site.
The flaw affected Ashley Madison’s “password reset” form, a common Achilles heel in web security. Here’s how it worked: If you had submitted the email address of a registered account through that form, the request would trigger a certain message. Submit an email address not associated with an account, and that message would change.
So, invalid email address returned a certain screen. Valid email addresses returned a different screen. The difference? The invalid email address message contains a text box and a “send” button:
[time-brightcove not-tgx=”true”]
The valid email address message excludes those details:
What this means is that anyone who knows your email address could easily check whether you had registered an account on the site.
There is, of course, an easy way to avoid detection: Create a bogus email address and use that to register an account on the site.
“[H]ere’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable,” said Hunt. Putting aside the morality of the site in question for a moment, Hunt writes: “If you want a presence on sites that you don’t want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether.”
I would take that truism one step further: always assume anything you do on the Web is discoverable—unless you’re taking some serious operational security measures to remain hidden, such as anonymizing Internet routing services, encryption, aliases, etc.
By the time Fortune tested out the flaw to verify its authenticity, the issue appeared to have been resolved.
A spokesperson for Avid Life Media, the company that owns Ashley Madison, declined to comment.