Credentials in the Ashley Madison Sources

One of the security risks of software development is passwords and other credentials hard-coded into the source code. It not only makes password rotation painful, but also exposes the secrets to unwanted people once the code is commited into a source code repository.

A quick analysis of the leaked Ashley Madison dumps shows that software developers of AM forgot about these risks. Their source code contains AWS tokens, database credentials, certificate private keys and other secret credentials.

Secrets in the Source Code

The end result of sensitive data stored in the Ashley Madison Git source code repos is a much more vulnerable infrastructure. Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley.

Database Credentials

The database passwords I found were between 5 and 8 characters, and many of them contained 2 character classes only.

Database Credentials in Source CodeDatabase Credentials in Source Code

Secret Tokens

First of all we have an AWS API credential for an S3 bucket in a unit test file.

AWS API Token in Source Code

Seems like the developers have hard-coded some Twitter OAuth tokens also into their unit tests. (Update 07/09/2015: Removed, these creds are part of the ‘request’ package)

Finally we have some application specific tokens here.Application Token in Source Code

SSL Certificates

Private keys of SSL certificates are also stored in the repo.

Certificate Private Keys in Source Code Certificate Private Keys in Source Code Certificate Private Keys in Source Code

Overview

Let’s review what information I gathered about the full application stack of Ashley Madison with a 10 minute search:

  • Database credentials
  • AWS credentials
  • Other API tokens
  • SSL certificate private keys

Recommendations

The obligatory tips for making lateral movement harder on your network:

  • Never ever store sensitive data in your source code tree
  • Never use weak database credentials

Finally do yourself a favour and check your source code repo as well as your Wiki pages for sensitive data today.

Further reading:

Update (07/09/2015): Additional API secrets and database credentials

Update (09/09/2015): Coverage of these findings in The Register, CIO, CSO, Office of Inadequate Security, DarkReading, Help Net Security, The Cyber Law Library

Update (14/09/2015): Additional coverage in SC Magazine

Photo courtesy of Tim Ellis

Gabor

Gabor Szathmari is a cybersecurity expert and digital privacy enthusiast. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion.