Credentials stored in Ashley Madison’s source code might have helped attackers

If you’re a company that makes its own websites and applications, make sure your developers don’t do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.

Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com’s owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company’s IT infrastructure.

The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company’s now-former CEO and the source code for the company’s other online dating websites including CougarLife.com and EstablishedMen.com.

A London-based security consultant named Gabor Szathmari has now found evidence that ALM’s developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company’s network.

In the leaked ALM source code repositories Szathmari found hard-coded weak database passwords, API access credentials for a cloud-based storage bucket on Amazon’s Simple Storage Service (S3), Twitter OAuth tokens, secret tokens for other applications and private keys for SSL certificates.

“The end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure,” Szathmari said Monday in a blog post. “Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley.”

Szathmari advises all companies to remove sensitive credentials from their source code or Wiki pages. Hard-coding such secrets makes it harder to later change them and potentially exposes them to unwanted people when the source code is committed to internal or external repositories.

The problem is so common that Amazon Web Services (AWS) issued a warning about it last year after thousands of AWS secret keys were found in public source code repositories hosted on GitHub.

Also last year, URL shortening service Bitly suffered a data breach after hackers used a compromised developer account to access the company’s source code repository and steal credentials for its offsite database backup that were stored there.