Lucian Constantin reports that ongoing examination of the AshleyMadison source code data dump contains evidence that ALM was er…. sloppy:
… A London-based security consultant named Gabor Szathmari has now found evidence that ALM’s developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company’s network.
In the leaked ALM source code repositories Szathmari found hard-coded weak database passwords, API access credentials for a cloud-based storage bucket on Amazon’s Simple Storage Service (S3), Twitter OAuth tokens, secret tokens for other applications and private keys for SSL certificates.
“The end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure,” Szathmari said Monday in a blog post. “Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley.”
Read more on CIO.