Hacker fans give Mr. Robot website free security checkup

The USA Network show Mr. Robot has drawn a good deal of praise for its accurate (relative to other TV shows) portrayal of hacking and computer security. So, naturally, the site for the show has drawn a slightly different sort of adoring fan—”white hat” hackers looking for security holes.

On May 10, USA Network launched a new site for Mr. Robot promoting the July debut of the series’ second season—a JavaScript-powered page that uses text input and mimics a Linux shell (complete with a GRUB bootup message). On the same day, as Forbes’ Thomas Fox-Brewster reported, a hacker operating under the name Zemnmez reported a cross-site scripting (XSS) vulnerability in the Mr. Robot site that could have been used to trick the site’s visitors into giving up their Facebook profile data. Zenmez sent an e-mail about the vulnerability to Mr. Robot writer Sam Esmail; within a few hours, according to NBC Universal (USA Network’s corporate parent), the vulnerability was removed.

News of the vulnerability apparently piqued the interest of other hackers in the show’s fanbase. On May 13, another “white hat” hacker who calls himself corenumb poked around the site’s e-mail registration code and found that the PHP code behind it was vulnerable to a type of attack called blind SQL injection—an attack that embeds SQL commands into text sent to a website, bypassing error messages that would normally block those attacks. The vulnerability would have allowed a malicious attacker to execute SQL commands against the database used for the show’s e-mail list. Corenumb was able to retrieve information about the backend database and the server it runs on using SQLmap, an open source penetration testing toolkit used specifically for checking for SQL injection vulnerabilities.

by May 16, 2016 4:49pm BST

Full article:

Source: Hacker fans give Mr. Robot website free security checkup | Ars Technica

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.