Ashley Madison hack is a fantastic example of a seemingly unknown resource no one seemingly cared about. Until it was hacked. No that’s where things started to go insanely hot. The catch is that the website was designed as a kind of a dating platform for married people to arrange affairs. And certainly, when 30 gigabytes of both company and customer data leaked into the web everyone started losing their minds.
The site has been online since 2001 and could be proud with an impressive collection of about 40 million cheating users. Then the Impact Team came. A group of hackers that has stolen lots of customer data and demanded for the site to be taken down, or else all that information was going to be released online, in public access. Certainly the site did not go offline as demanded and, well, garbage hit the fan. Lots of cheating spouses were exposed, scandal rocked after scandal, but you probably already know this story. We, as testers are mostly interested in how hackers actually got under Ashley Madison’s skin.
Many could believe this particular hack involved SQL injections. And, after all, it is a common and proven pattern of planned attacks that has already worked and crushed defenses of numerous websites. And, nonetheless, the story with Ashley Madison is not the case.
Cycura, a company that assists in investigation of the hack or, to be more precise, Joel Eriksson, their CTO has clearly stated that there were no indications that software vulnerabilities were exploited.
Considering SQL injections trigger software apps that are running on the site in order to exploit them and gain access to back-end databases, this cannot be our case. And, by the way, actual reasons are not being disclosed as investigation still continues.
Perhaps hackers themselves have something to say? In fact, Impact Team does and even attended an interview with Motherboard. And imagine overall surprise when they claimed no one was even watching out for them!
Impact team states that they have worked really hard to make a classy, undetectable and smooth attack and were astonished to find out there was nothing to bypass when they’ve gotten inside the system. They claim there was absolutely no security, except for a segmented network. Pass1234 could have been used throughout the entire internet-VPN-root on all servers journey. Where was the security testing of this site?
Such a story is insanely hard and easy to believe at the same time. Feel free to share your own thought in the comments!