According to Forbes, Kromtech found that Ashley Madison, a dating site where adulterous spouses can connect with other married people looking for some extramarital action, has left users’ private photos exposed through a logical flaw in its default data settings.
That’s on top of the massive hack that compromised the site in 2015. One would think the 2015 incident had dished up enough bad karma to discourage users from returning, but that has not been the case. They simply came back with higher demands for cybersecurity on the site.
In other words, any user can gain access to any other user’s private photos without authorization.
Furthermore, it’s possible to sign up for multiple accounts using the same email address, which Kromtech said makes it all too easy for a hacker to set up a large number of accounts in a short span of time and start acquiring photos at a rate of hundreds or even thousands of users compromised per day.
Then, once the photos have been accessed, all a threat actor would have to do is copy and paste the URL to share those photos with anyone — because, with a direct link, others would not even need an Ashley Madison account to see the photos.
“Now you can tie pictures, possibly nude pictures, to an identity,” said independent researcher Matt Svensson, who worked with Kromtech on the reveal. “This opens a person up to new blackmail schemes.”