Article Lead Image

Ashley Madison CEO knew of potential security flaws, leaked emails reveal

Security flaws were evidently reported around the time of the hack.

 

Dell Cameron

Tech

Posted on Aug 25, 2015   Updated on May 28, 2021, 2:30 am CDT

Emails leaked from the servers of Ashley Madison reveal the company had concerns about its cybersecurity immediately prior to last month’s hack.

On Friday, hackers going by the name Impact Team released more than 100,000 stolen private emails from the inbox of Noel Biderman, CEO of Avid Life Media (ALM), the Toronto, Canada-based company behind Ashley Madison and other dating websites.

An earlier data dump exposed as many as 33 million users of the adultery-themed site, making it one of the largest user data releases in history. The stolen databases included Ashley Madison usernames, street addresses, phone numbers, email addresses, partial credit card information, and more.

“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is…”

The leaked Biderman emails show that on multiple occasions the CEO was contacted by security researchers who believed the Ashley Madison site could be hacked and its customers exposed. 

In one email, an information security consultant who identified himself as Jayson Zabate from the Philippines contacted ALM about a security flaw in Ashley Madison.

“I recently browsed into your website [Ashley Madison], as with first instinct I tried to search for a flaw in your application,” wrote Zabate. “After a few attempts, I find security vulnerability on your website.”

Zabate inquired about a reward program for discovering bugs in ALM’s system. According to an email from ALM security chief Mark Steele, who was hired only a few months before the hack became public in July, the company had such a bounty program in place.

In a May 25 email, Biderman was contacted directly by another security researcher named Paul Mutton, who warned that hackers could potentially expose Ashley Madison user-registration data.

“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is, and other details pertaining to their account. Interested?” wrote Mutton.

“Given our open registration policy and recent high-profile exploits, every security consultant and their extended family will be trying to trump up business,” Steele told Biderman in a same day email.

Steele added: “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing).”

More from the Daily Dot 

XSS [cross-site scripting] and CSRF [cross-site request forgery] are security exploits used to inject malicious code into a website, potentially allowing hackers to harvest usernames and passwords, or even hijack user sessions, which could give hackers direct access to accounts without requiring a password. Such attacks are made possible due to mistakes within the code base and are most common in older Web applications.

In an email to Biderman the following day, Steele indicated that Mutton had yet to discover any flaws in ALM’s system, but he wanted permission to conduct penetration tests on the Ashley Madison website.

When Impact Team first revealed its hack of Ashley Madison, the hackers demanded that the site be taken offline due to allegedly dishonest business practices, including a $19 service that promised to completely delete paying users’ data from the company’s databases. 

Failure to take Ashley Madison offline would trigger the release of user data and other company information, the hackers wrote—a promise they made good on last week.

While condemning Ashley Madison, the hackers apologized to Steele for breaking through the site’s security. 

“Our one apology is to Mark Steele (Director of Security),” the hackers wrote in their manifesto. “You did everything you could, but nothing you could have done could have stopped this.”

“Our codebase has many … XSS/CRSF vulnerabilities which are relatively easy to find.”

Other emails revealed by Impact Team’s leak, uncovered by security reporter Brian Krebs on Tuesday, appear to show that ALM executives hacked a dating service run at the time by Nerve.com, an online culture news site, in 2012, to gain a competitive edge. And in 2013, emails discovered by the Daily Dot show, Biderman and other top ALM executives discussed paying off a former spokeswoman, who threatened to make public her allegations that a company vice president had sexually harassed her. 

The spokeswoman, London-based sex expert Louise Van der Velde, demanded £10,000 ($15,686) to stay quiet, though it is unclear from the emails whether ALM paid her the money.

Velde refused to comment on the sexual assault allegations or the related emails. ALM has not returned our multiple requests for comment concerning the hacked emails.

As ALM coordinates with law enforcement agencies in the U.S. and Canada, many former users are preparing to mount legal cases against the company.

A class-action complaint was filed against ALM this week in the U.S. District Court for the Central District of California, alleging a breach of privacy and negligence. In St. Louis, a woman has filed a federal lawsuit claiming that she paid the company to delete her personal information, which was discovered in leak. And another U.S. class-action lawsuit is expected soon from the Dallas-based Schmidt Law Firm, which is accepting clients in all 50 states.

In addition, two Canadian law firms—Stutts, Strosberg LLP and Charney Lawyers—have filed a $573 million suit, which has reportedly drawn interest from over 1,000 Ashley Madison clients.

Jamie Woodruff contributed reporting to this article.

Illustration by Max Fleishman

Share this article
*First Published: Aug 25, 2015, 6:57 pm CDT