Information security consultant Gabor Szathmari has discovered several security mistakes in the leaked Ashley Madison source code that would have made it easy for hackers to get to the data.
“One of the security risks of software development is passwords and other credentials hard-coded into the source code. It not only makes password rotation painful, but also exposes the secrets to unwanted people once the code is committed into a source code repository”, he revealed in a blog post.
In fact, in a mere ten minutes of searching, he discovered:
- Database credentials
- AWS credentials
- Other API tokens
- SSL certificate private keys
“Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley [Madison]”, he said.
Szathmari provides the following tips for secure development:
- Never ever store sensitive data in your source code tree
- Never use weak database credentials
- Check your source code [repository] as well as your Wiki pages for sensitive data today.
Once again, it is weak credentials that led to a serious web attack.