Real hackers found ways to break into the website of hacker show 'Mr. Robot'
Mr. Robot/USA Networks
USA Network's "Mr. Robot" offers viewers a realistic portrayal of computer hackers with very few glaring flaws, but its website had a few big ones up until recently.
Last week, real-life hackers uncovered security vulnerabilities in the show's website that could have resulted in an attacker downloading a database or gaining access to personal information on fans of the show.
Both flaws were found soon after the launch of a promo for the show's upcoming second season at whoismrrobot.com, which features a mockup of a Linux command line that users can type into.
A white hat hacker named Zemnmez found the website was vulnerable to a cross-site scripting (XSS) attack, one of the most common methods hackers can gain access to a server. In this case, Zemnmez could have pulled Facebook user data directly from people wanting to play a quiz on the site, according to Forbes' Thomas Fox-Brewster, who first reported the flaw.
"A threat actor with XSS on whoismrrobot.com could use the XSS to inject Javascript [programming language] which inherits the ability to read Facebook information from the fsociety game," the hacker told Forbes. "This could be done mostly silently if correctly engineered with a short popup window."
Zemnemez wasn't able to find contact info to report the breach but ended up reporting it straight to Sam Esmail, the show's creator, and it was patched a short time later.
Inspired by articles about the security oversight, a hacker named corenumb did some poking around found another security hole, which could have given an attacker access to the website's database. Using a security testing application, corenumb found a way for an attacker to pull off a Blind SQL Injection, which can uncover usernames and passwords in some cases.
"Since I’m a big fan of the TV Series I went and look[ed] around [a] bit. I wasn’t expecting to find any vulnerabilities but I had my burp running on [the] side," corenumb wrote, mentioning a security testing program called burp. The hacker ended up finding a page for users to subscribe to an email list was vulnerable, and he reported it on May 12.
It was patched two days later, according to the blog post detailing the find.
Tech Insider reached out to the domain administrator for NBC Universal, but has not received any response.
NOW WATCH: Hackers showed us how easy it is to secretly clone a security badge