Naked Security Naked Security

Massive MoviePass database found exposed on public server

Tens of thousands of records with financial data were left in plaintext in a database that wasn't protected with a password.

Last year, MoviePass CEO Mitch Lowe gloated about how the company was using subscribers’ data…

…or, rather, how MoviePass could use that data, as a company spokesman hastened to point out in the uproar that followed Lowe’s remarks at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”

Media Play News quoted Lowe at the time:

We know all about you.

Well, to put a rancid cherry on top of that gritty little cupcake, MoviePass didn’t just know “all about you.” It also apparently knows how to let all that knowing flop around, unprotected, on the internet.

As TechCrunch reported on Tuesday, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently stumbled across a massive database – TechCrunch’s Zack Whittaker reported that it contained 161 million records “and growing” as of the time he published his report – on one of the movie ticket subscription service’s subdomains.

Up for grabs were mundane logging messages, but the exposed records also included critical data, including customer card numbers and personal credit cards of some subscribers. There were 58,000 subscribers’ cards exposed as of Tuesday, and the number was growing.

And as Whittaker explains, MoviePass customer cards are similar to normal debit cards: issued by Mastercard, they store a cash balance, which subscribers can use to pay to watch a catalog of movies. Subscribers pay a monthly fee, and then MoviePass uses this debit card to load the full cost of the movie. The subscriber then uses that MoviePass card to pay for the movie at the cinema.

All for want of a… password?!

Was it an esoteric hack that got the database there? A hole in cybersecurity defenses? Not really, Hussein said. It was because somebody neglected to protect a critical server with a password.

To make matters worse, none of the sensitive data was encrypted. Hussein:

We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data. In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext – let alone the fact that the data set was exposed for public access by anyone.

It’s unfortunate that a company that knows “all about you” can somehow forget to know that it should lock up all that it knows.