Misconfigured Database Exposes Hollywood's Movie Screener System
Critical Vulnerabilities in Hollywood Screener System can allow pirates to download unreleased films
A prominent security researcher has discovered serious vulnerabilities in a system that allows awards voters to watch the latest movie screeners online. Chris Vickery who works for Mac Keeper and had previously gained access to the ‘World-Check’ terror, crime and sanctions database, informed TF of his discovery last month after an unsecured database was left open to the public.
Screeners are copies of unreleased films which are given to press for reviews by movie studios. The screeners have been at the center of controversy last year when pirates managed to leak as many as 64 such screeners of new movies on torrent websites. Over the years, Hollywood has done its best to limit the leaks, but every 12 months without fail, many of the top titles appear online in close to perfect quality.
One such system is Awards-Screeners.com. The site allows SAG-AFTRA members and other industry insiders to view the latest movies for reviews. However,the website is vulnerable to hacking as per Vickery. For this vulnerability hackers and pirates can access to the database and download its content, which contains various details regarding available screeners, also contained passwords for the accounts used to log into the site and watch the unreleased movies.
The good news for Hollywood studios is that the passwords were hashed with the bcrypt algorithm and an additional salt (random characters). Cracking these passwords would take years of computational operations.
According to Vickery, the database contained accounts for users that registered with emails with the following domains: @paramount.com, @disney.com, @warnerbros.com, @fox.com, and @spe.sony.com. During his research, Vickery found that a hacker or a pirate could gain full administrative access to these accounts. Once he had access, the hacker need not crack the passwords, but simply guess the hashing algorithm and replace a password for an existing account, or create a new profile for himself.
Immediately after discovering the database Vickery contacted Vision Media Management (VMM), the company which the MPAA (Motion Picture Association of America) hired to create and maintain the website.
Vickery notes that after contacting the company, he was pleasantly surprised to discover that VMM took the data breach very seriously and such down the access to the database. But unfortunately, it also informed its counsellors who questioned Vickery about his motives. Vickery says he was put in the awkward position of explaining to the lawyers that he wasn’t trying to extort them.
However, that didn’t stop VMM from hiring a big shot lawyer who tried to intimidate Vickery accusing him of improperly downloading a copy of the database, which Vickery always does as proof in case companies deny any security breaches. Vickery reminded the lawyer of his long history in exposing unsecured databases.
“I have cooperated with and contributed to data breach-related investigations conducted by the FTC, FBI, US Navy, HHS/OCR, US Secret Service, and other similar entities,” Vickery replied in an email. “Not a single regulatory or government agency I have interacted with has even suggested that what I do, downloading publicly published information, is improper.”
In later email exchanges, VMM told Vickery that most of the data he downloaded was actually test data. Vickery says he found information of 1,200 user accounts, but VMM informed him that only 160 of those records were from real users.
Vickery also sifted through the rest of the data dump and he discovered links to three Amazon S3 servers, also exposed to the Internet without authentication, where the company stored details about various developer tools and API integrations. Vickery says that VMM didn’t yet reply to his last report.
In the absence of an official statement from Vision Media, it’s impossible to say how many people accessed the Awards-Screener database before Vickery found out the vulnerability. So next time a screener is leaked online, you know who is to be blamed.