Notorious cheating hookup site Ashley Madison is back in the news after it was discovered that the site was exposing private, often sexually explicit member photographs to other members without permission.

Discovered by security researchers Bob Diachenko and Matt Svensson, the exposure involves the way Ashley Madison handles member photos that are meant to be viewed privately by members logged into the site. Those photos are secured by a “key” that Ashley Madison shares with a member, say User A, when User B who owns the photo agrees to let User A view it. But in a seemingly strange oversight, when User A sends User B the key, Ashley Madison immediately provides the key for User B in return.

In effect, what this means is that any users signing up to the site, even using multiple accounts, can obtain photographs from any member simply by sending a key linked to their own photos.

The issue, as explained by Diachenko and Svensson, is related to default settings in each account. Users can actually opt out of this occurring, but by default, the site allows automatic photo sharing, even when the photos shared by the member are set to private when the other member sends private photos.

“During testing, less than 1 percent of users revoked their key after it had been given,” Diachenko wrote. “It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random user seeing their private pictures.”

After being informed of the security risk, Ashley Madison has limited the amount of daily key exchanges, but likewise, its parent company, Avid Life Media, stated that it “does not agree and sees the automatic key exchange as an intended feature.”

While clearly not a good look for the company, it has suffered worse issues. The site was famously hacked in July 2015, with the data from 30 million to 40 million users subsequently making its way online later the same year. That data dump resulted in users being blackmailed, a profitable enterprise for the scammers extorting Ashley Madison users until it ended with both a class action lawsuit and a regulatory action in Canada and Australia.

Image: Ashley Madison