Naked Security Naked Security

Real-life hacker finds serious bug in hacker TV show Mr. Robot website

A real-life hacker discovered a flaw in the fictional hacker show's website that could have exposed users' Facebook profile information.

The TV show “Mr. Robot” received a lot of praise from its tech-savvy audience after the USA Network drama about a group of anti-establishment hackers debuted last year.

About to return for its second season on 13 June, the marketing folks at USA have come up with some clever promotions to build anticipation and attract attention, including a website that allows you to “join FSociety,” the fictional hacktivist group featured in the show.

Ironically, a real-life hacker discovered last week that the Mr. Robot website had a serious security vulnerability that a malicious hacker could have exploited to steal Facebook profile information.

When you visit the site – whoismrrobot.com – you have the option to play a game that requires you to sign in using your Facebook profile, and that means handing over your profile data including including name, email address, profile picture, age range, gender, language, country and more.

mr-robot-facebook-login

The hacker who discovered the flaw, who goes by the moniker Zemnmez, sought out the show’s creators on Twitter on Monday (9 May), the day the Mr. Robot website launched.

Zemnmez told Forbes that the security bug, known as a cross-site scripting (XSS) vulnerability, could have allowed a hacker to inject Javascript into the website to steal any user’s Facebook profile data:

A threat actor with XSS on whoismrrobot.com could use the XSS to inject Javascript which inherits the ability to read Facebook information from the fsociety game … This could be done mostly silently if correctly engineered with a short popup window.

Fortunately, Zmenmez was able to get in touch with Sam Esmail, the writer and creator of Mr. Robot, and the flaw was fixed within a day – hopefully, before anyone with malicious intent discovered the bug.

This episode might be a bit embarrassing for USA Network and Mr. Robot.

But it’s a powerful reminder that even people who should know better can sometimes make mistakes that put our data at risk.

It also raises an important point about what could happen when a website asks for access to your Facebook profile.

Are you willing to trade your privacy to play a game that you’ve never seen before and aren’t likely to play again?


Image of FSociety courtesy of USA Network.