Data breach aside, your Ashley Madison affair was never a secret

Jul 20, 2015

Worried you might be outed as a cheater in the data breach at Ashley Madison?

Turns out the extramarital affairs site, which bills itself as the "world's leading married dating service for discreet encounters," had leaky lips anyway. Information about who had an account wasn't exactly hidden. Or rather, not hidden well.

Troy Hunt, a developer who specializes in security and who runs the site "Have I Been Pwned?", revealed a flaw affecting the site in a blog post on Monday. The weakness, easily exploited, gave away whether an email address was contained in the site's database or not; from there, one could infer who may have registered an account on the site.

The flaw affected Ashley Madison's "password reset" form, a common Achilles heel in web security. Here's how it worked: If you had submitted the email address of a registered account through that form, the request would trigger a certain message. Submit an email address not associated with an account, and that message would change.

So, invalid email address returned a certain screen. Valid email addresses returned a different screen. The difference? The invalid email address message contains a text box and a "send" button:

Ashley Madison - invalid password reset

The valid email address message excludes those details:

Ashley Madison - valid password reset

What this means is that anyone who knows your email address could easily check whether you had registered an account on the site.

There is, of course, an easy way to avoid detection: Create a bogus email address and use that to register an account on the site.

"[H]ere’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable," said Hunt. Putting aside the morality of the site in question for a moment, Hunt writes: "If you want a presence on sites that you don’t want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether."

I would take that truism one step further: always assume anything you do on the Web is discoverable—unless you're taking some serious operational security measures to remain hidden, such as anonymizing Internet routing services, encryption, aliases, etc.

By the time Fortune tested out the flaw to verify its authenticity, the issue appeared to have been resolved.

A spokesperson for Avid Life Media, the company that owns Ashley Madison, declined to comment.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions