Misconfigured Database Leaks Secrets of Hollywood

  • 152
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    152
    Shares

The database linked with the website in which members of the US film industry go to preview the unreleased Hollywood movies (called screeners) was left exposed to the Internet for a long time without even an administrative password.

Anyone who knew where to look at can have the access the database and then download the content inside. The information inside is of various  screeners and it also has passwords for the accounts used to log into the site and watch the upcoming and unreleased movies.

The only good news for Hollywood studios is that these passwords were hashed with the bcrypt algorithm and an additional salt (with random characters). Cracking these passwords in a brute-force way would take years to complete.

According to a security researcher for MacKeeper named Chris Vickery, ( the one who discovered the exposed server, ) the database also contained accounts for users that registered with emails with the following domains:  @disney.com, @paramount.com,  @fox.com, @warnerbros.com,and @spe.sony.com.

Since the attacker has full administrative access to all of these accounts, he would not have any need to crack the passwords. He simply guesses the hashing algorithm and replace a password for an existing account, or just create a new profile for himself.

Immediately after discovering the database Vickery contacted Vision Media Management (VMM), the company which the MPAA (Motion Picture Association of America) hired to create the website, as an alternative to sending DVD screeners via post to its members.

This website, located at awards-screeners.com, is used by MPAA members to view and vote for movies contending every year for the Oscars.

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply