UPDATED 23:30 EST / DECEMBER 06 2017

APPS

Ashley Madison found to be exposing members’ private photos without permission

Notorious cheating hookup site Ashley Madison is back in the news after it was discovered that the site was exposing private, often sexually explicit member photographs to other members without permission.

Discovered by security researchers Bob Diachenko and Matt Svensson, the exposure involves the way Ashley Madison handles member photos that are meant to be viewed privately by members logged into the site. Those photos are secured by a “key” that Ashley Madison shares with a member, say User A, when User B who owns the photo agrees to let User A view it. But in a seemingly strange oversight, when User A sends User B the key, Ashley Madison immediately provides the key for User B in return.

In effect, what this means is that any users signing up to the site, even using multiple accounts, can obtain photographs from any member simply by sending a key linked to their own photos.

The issue, as explained by Diachenko and Svensson, is related to default settings in each account. Users can actually opt out of this occurring, but by default, the site allows automatic photo sharing, even when the photos shared by the member are set to private when the other member sends private photos.

“During testing, less than 1 percent of users revoked their key after it had been given,” Diachenko wrote. “It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random user seeing their private pictures.”

After being informed of the security risk, Ashley Madison has limited the amount of daily key exchanges, but likewise, its parent company, Avid Life Media, stated that it “does not agree and sees the automatic key exchange as an intended feature.”

While clearly not a good look for the company, it has suffered worse issues. The site was famously hacked in July 2015, with the data from 30 million to 40 million users subsequently making its way online later the same year. That data dump resulted in users being blackmailed, a profitable enterprise for the scammers extorting Ashley Madison users until it ended with both a class action lawsuit and a regulatory action in Canada and Australia.

Image: Ashley Madison

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.