Little Bobby Tables Strikes Again —

Hacker fans give Mr. Robot website free security checkup

Days after USA Network patches XSS bug, hacker finds a way to inject SQL code.

Some of the code behind the new <em>Mr. Robot</em> website.
Some of the code behind the new Mr. Robot website.
NBC Universal

The USA Network show Mr. Robot has drawn a good deal of praise for its accurate (relative to other TV shows) portrayal of hacking and computer security. So, naturally, the site for the show has drawn a slightly different sort of adoring fan—"white hat" hackers looking for security holes.

On May 10, USA Network launched a new site for Mr. Robot promoting the July debut of the series' second season—a JavaScript-powered page that uses text input and mimics a Linux shell (complete with a GRUB bootup message). On the same day, as Forbes' Thomas Fox-Brewster reported, a hacker operating under the name Zemnmez reported a cross-site scripting (XSS) vulnerability in the Mr. Robot site that could have been used to trick the site's visitors into giving up their Facebook profile data. Zenmez sent an e-mail about the vulnerability to Mr. Robot writer Sam Esmail; within a few hours, according to NBC Universal (USA Network's corporate parent), the vulnerability was removed.

News of the vulnerability apparently piqued the interest of other hackers in the show's fanbase. On May 13, another "white hat" hacker who calls himself corenumb poked around the site's e-mail registration code and found that the PHP code behind it was vulnerable to a type of attack called blind SQL injection—an attack that embeds SQL commands into text sent to a website, bypassing error messages that would normally block those attacks. The vulnerability would have allowed a malicious attacker to execute SQL commands against the database used for the show's e-mail list. Corenumb was able to retrieve information about the backend database and the server it runs on using SQLmap, an open source penetration testing toolkit used specifically for checking for SQL injection vulnerabilities.

NBC Universal responded quickly to corenumb's alert, but Ars has not received confirmation that the vulnerability had been addressed. On the upside, at least USA Network is getting a bunch of penetration testing done for free.

Channel Ars Technica