BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Elite Russian Hackers Claim To Have Breached Three Major U.S. Antivirus Makers
School Lunch Business Rivalry Leads To Hacking Charges
Cybercriminals Steal $1.75 Million From An Ohio Church
Ransomware Hits Yet Another U.S. Airport
A Free Wi-Fi Finder App Exposed Passwords To Millions Of Networks
A Ransomware Attack Knocked The Weather Channel Off The Air
Edit Story
ForbesInnovationCybersecurity

'Mr. Robot' Web Weaknesses Left Fans And USA Network Vulnerable, Warns Non-Fictional Hacker

Thomas Brewster
Forbes Staff
Senior writer at Forbes covering cybercrime, privacy and surveillance.
Following
This article is more than 7 years old.

Elliot Alderson would not be impressed.

A week after FORBES reported a basic vulnerability on the website promoting the second series of hacker drama Mr. Robot, some even more worrisome holes were found on whoismrrobot.com. The most severe would have allowed a malicious hacker to take complete control over the site and gain a foothold on the USA Network network; another would have granted access to the site's database.

On Saturday, a security researcher going by the name of Zemnmez warned the USA Network responsible for running the server about the more pressing issue, a remote code execution vulnerability. The exploit demonstrated by Zemn forced the site's fsociety game (fsociety being the fictional hacking group led by protagonist Alderson) to load an image which exploits a known vulnerability called "ImageTragick". The game saw participants complete certain tasks to "join" the crew.

ImageTragick was the name given to a bug in ImageMagick, software commonly used by websites to handle images. Researchers discovered they could create an image that was interpreted by ImageMagick as code, which could be malicious and execute as a program on the server hosting the site. "A hacker could then make the computer running the website do whatever they wanted, such as display a different website making visitors download viruses, or download logs containing information on the websites' users," noted Zemn. Cybercriminals have already exploited the flaw across the web.

In Zemn's hack, he "tricked" the game server into accepting his specially-crafted Facebook profile image. That photo directed the site server to make a request to the site RequestBin, which shows certain technical information on who has visited a page, effectively proving his exploit worked.

Zemn sent that information to the USA Network, and subsequently to FORBES. After a request for comment on Sunday, NBCUniversal said it was looking into the matter, but it had provided no statement at the time of publication. Further tests by Zemn today indicated the website had been patched, however.

Describing his proof-of-concept attack, Zemn said: "It can read all server logs, all requests ever made to the server, serve arbitrary information from the server, read usernames, passwords and other credentials from the the server itself. It can make requests internal to the USA Network network.

"It's the keys to the castle, and the castle."

A second bug was uncovered by another white hat hacker going by the name of Treasure Priyamal. The so-called SQL injection flaw could have been exploited to force the site to cough up email addresses submitted to the site (something your reporter did - he's a fan of the show). Priyamal emailed FORBES over the weekend to note the issue had also been patched.

Though Zemn has found two vulnerabilities on the Mr Robot site, he believes it's just symptomatic of a poorly-secured web. "Most security is terrible, and it's just ironic that Mr. Robot is not an exception," he told FORBES.

Follow me on TwitterCheck out my websiteSend me a secure tip
Thomas Brewster
Thomas Brewster