Sunday, 18 September 2016

Misconfigured Database Leaks Secrets of Hollywood


The database linked with the website in which members of the US film industry go to preview the unreleased Hollywood movies (called screeners) was left exposed to the Internet for a long time without even an administrative password.

Anyone who knew where to look at can have the access the database and then download the content inside. The information inside is of various  screeners and it also has passwords for the accounts used to log into the site and watch the upcoming and unreleased movies.

The only good news for Hollywood studios is that these passwords were hashed with the bcrypt algorithm and an additional salt (with random characters). Cracking these passwords in a brute-force way would take years to complete.

According to a security researcher for MacKeeper named Chris Vickery, ( the one who discovered the exposed server, ) the database also contained accounts for users that registered with emails with the following domains:  @disney.com, @paramount.com,  @fox.com, @warnerbros.com,and @spe.sony.com.

Since the attacker has full administrative access to all of these accounts, he would not have any need to crack the passwords. He simply guesses the hashing algorithm and replace a password for an existing account, or just create a new profile for himself.

Immediately after discovering the database Vickery contacted Vision Media Management (VMM), the company which the MPAA (Motion Picture Association of America) hired to create the website, as an alternative to sending DVD screeners via post to its members.

This website, located at awards-screeners.com, is used by MPAA members to view and vote for movies contending every year for the Oscars.
Share:

0 comments:

Post a Comment