Here’s an interesting twist. In the last two dumps of data were e-malls that may prove to be incriminating. Brian Krebs on his blog has reported that there’s evidence to suggest that Ashley Madison’s competitors were hacked by Ashely Madison:
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Now this doesn’t exactly cast this company in the most positive light. Thus you can expect that a lot of questions will be asked about this topic over the coming days.
Speaking of vulnerabilities, it seems that Ashley Madison were aware of theirs:
Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.
“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison employee Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].
Lovely. I’m sure the lawyers behind the class action lawsuit will be interested in this information.
The rest of this blog entry by Krebs is interesting. I encourage you to read it as it sheds new light on what goes on at Ashley Madison.
Related
This entry was posted on August 24, 2015 at 8:28 pm and is filed under Commentary with tags Ashley Madison. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Ashley Madison E-Mail Dump Shows Evidence That Competitors Were Hacked by Them
Here’s an interesting twist. In the last two dumps of data were e-malls that may prove to be incriminating. Brian Krebs on his blog has reported that there’s evidence to suggest that Ashley Madison’s competitors were hacked by Ashely Madison:
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Now this doesn’t exactly cast this company in the most positive light. Thus you can expect that a lot of questions will be asked about this topic over the coming days.
Speaking of vulnerabilities, it seems that Ashley Madison were aware of theirs:
Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.
“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison employee Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].
Lovely. I’m sure the lawyers behind the class action lawsuit will be interested in this information.
The rest of this blog entry by Krebs is interesting. I encourage you to read it as it sheds new light on what goes on at Ashley Madison.
Share this:
Like this:
Related
This entry was posted on August 24, 2015 at 8:28 pm and is filed under Commentary with tags Ashley Madison. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.