Many news websites have reported about the data breach at the Ashley Madison website, and have focused upon the tantalizing aspects: hackers stole information about customers of a website designed to help spouses cheat, and then threatened to release that information unless the site shuts down. The Ashley Madison site has about 37 million subscribers, and is owned by Avid Life Media.
On Monday, the Avid Life Media distributed this press release:
"We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion... and have had stringent security measures in place, including working with leading IT vendors from around the world. At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online."
The breach highlights a common privacy flaw, which Troy Hunt analyzed and documented in his blog. He provided this warning to consumers:
"... here’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable. It doesn’t take a data breach, sites will frequently tell you either directly or implicitly."
The last thing a cheating spouse wants to hear is that their account is discoverable. How do websites break users' online privacy? Mr. Hunt cited one example: the password reset feature.
Most sites have this feature. You've probably used the feature at your favorite websites, and never thought much about it. The feature allows a registered customer who have forgotten their password, to get a new one so they can sign into the site. The first step of a password reset feature is usually a form for the user to enter their e-mail address. Mr Hunt explained why this is a problem:
"Nine times out of ten, you submit this form and the site explicitly tells you that the email address doesn’t exist thus exposing when an email address does exist courtesy of a different response message. But Ashley Madison is different... it doesn’t deny the presence of the account."
So, a curious wife or husband could enter their spouse's e-mail address to see if he/she uses the site. Mr. Hunt's blog post presented images of Ashley Madison's forgot password feature, so I won't repeat them here. You can browse them for yourself. The important point is this: Ashley Madison's password reset feature was both good and bad. It was good because the copy in the response screen did not disclose the existence of an account:
"Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly"
It was bad -- or more precisely, failed -- because the site's feature sends a different response screen to customers versus non-customers, thereby implicitly indicating the existence, or not, of an account. During the eight years I've written this blog, I've learned one chief thing: hackers are creative, smart, and persistent. They use the same software and tools as the good guys. They read the same websites the good guys read. So, you can bet that the hackers have learned what Mr. Hunt discovered. Now, you know.
This is why Mr. Hunt concluded:
"Your affairs were never discreet – Ashley Madison always disclosed customer identities"
A better privacy approach is for password-reset features to ask for a username instead of an e-mail address.That offers a bit more protection. This article in The Verge explained why the above privacy flaw exists in many websites:
"... was true long before the [Ashley Madison] hack, and it was a serious data leak — but because it followed standard web practices, it slipped by mostly unnoticed. It's not the only example: you could make similar points about data retention, SQL databases or a dozen other back-end features. This is how web development usually works. You find features that work on other sites and you copy them, giving developers a codebase to work from and users a head start in figuring out the site. But those features aren't usually built with privacy in mind, which means developers often import security problems at the same time. The password reset feature was fine for services like Amazon or Gmail, where it doesn't matter if you're outed as a user — but for an ostensibly private service like Ashley Madison, it was a disaster waiting to happen."
How do your favorite websites present their password reset features? If you have encountered a site with the above privacy flows in its password reset feature, please share below.