Oh oh! Vulnerabilities found in the Mr Robot Website

Hello guys,

leet white hat hacker going by the name Zemnmez discovered a security flaw in Mr Robot new website- the hit USA Network show. shortly after a quick note to Mr Robot writer Sam Esmail, the vulnerability was patched.

On the day Mr Robot kicked off a promo campaign for the second series, the Cross-site scripting flaw was discovered. The launch included a clip of President Obama apparently condemning a ( fictional) destructive attack on the US financial system at the end of the first series, and a website, whoismrrobot.com mimicking a mix of Linux command line and IRC chat. The show has been applauded for showing a good portrayal of hacking.

XSS bugs are widespread.  Zemnmez said, that if a malicious hacker abused the bug, users’ Facebook information would have been leaked. In particular, he’d have targeted a section of the website that contains a quiz, whoismrrobot.com/fsociety, which requested access to players’ Facebook data. FSociety is the hacktivist collective that central character Elliot Alderson, played by Rami Malek joins early in series one. But to carry out such an attack, Elliot would have had to use some social engineering techniques.

It’s also worth noting the site doesn’t use HTTPS encryption.

A week after this, more flaws were found in the website promoting the second series of hacker drama Mr. Robot — whoismrrobot.com. If the most severe flaw was exploited by a hacker, he would have got a foothold on the USA Network network; another would have granted access to the site’s database.

Zemnmez warned the USA Network on Saturday about the more pressing issue, a remote code execution vulnerability. Zemn did a demonstration which forced the site’s fsociety game (fsociety being the fictional hacking group led by protagonist Alderson) to load an image which exploits a known vulnerability called “ImageTragick“. The game saw participants complete certain tasks to “join” the crew.

ImageTragick was the name given to a bug in ImageMagick, software commonly used by websites to handle images. Zemn noted that “A hacker could then make the computer running the website do whatever they wanted, such as display a different website making visitors download viruses, or download logs containing information on the websites’ users,”

In Zemn’s hack, he “tricked” the game server into accepting his specially-craftedFacebook FB -1.10% profile image. That photo directed the site server to make a request to the site RequestBin, which shows certain technical information on who has visited a page, effectively proving his exploit worked.

Further tests by Zemn indicated the website had been patched, however.

Describing his proof-of-concept attack, Zemn said: “It can read all server logs, all requests ever made to the server, serve arbitrary information from the server, read usernames, passwords and other credentials from the the server itself. It can make requests internal to the USA Network network.”

A second SQL injection bug which can reveal email addresses submitted to the site, was uncovered by another white hat hacker going by the name of Treasure Priyamal. This had also been patched.

This indicates poor security of the website, but this is no exception.

You a Mr Robot fan too? tell us what you think

Source: Akati

Comments are closed.