[ad_1]
MoviePass movie ticket subscription service exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected by a password.
Mossab Hussein, security researcher at SpiderSilk, a Dubai-based cybersecurity company, has discovered a database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Most of the records were normal computer-generated log messages used to keep the service running – but many also included sensitive user information, such as MoviePass client card numbers.
These MoviePass client cards look like normal debit cards: they are issued by Mastercard and store a cash balance that subscribers to the subscription service can use to pay for watching a movie catalog. For a monthly subscription, MoviePass uses the debit card to charge the entire cost of the movie, which the customer then uses to pay for the movie at the cinema.
We examined a sample of 1,000 records and eliminated duplicates. Just over half contained unique MoviePass debit card numbers. Each customer card record contained the MoviePass debit card number and its expiry date, the card balance, at the time of its activation.
The database contained more than 58,000 records containing map data – and increased from minute to minute.
We also found records of customers' personal credit card numbers and expiry dates, which included billing information, including names and postal addresses. Of the records we reviewed, we found records with enough information to make fraudulent card purchases.
Some records, however, contained masked card numbers, with the exception of the last four digits.
The database also contained an email address and some password data related to unsuccessful login attempts. We found in the database hundreds of records containing the user's email address and a badly typed password (which was saved). We checked this by trying to log in to the application with a non-existent email address and password, but we only knew it. Our dummy email address and password appeared in the database almost immediately.
None of the records in the database have been encrypted.
Hussain contacted Mitch Lowe, managing director of MoviePass by email – what TechCrunch has seen – over the weekend but no response. Only after TechCrunch approached Tuesday when MoviePass put the database offline.
It is understood that the database has been exposed for months, according to data collected by the cyber-threat intelligence company, RiskIQ, which detected the system for the first time at the end of June.
We asked MoviePass several questions, including why the email revealing the security breach was ignored, how long the server was exposed, and its intent to disclose the incident to customers and customers. state control authorities. When he was joined, a spokesperson did not comment on our deadline.
MoviePass has been on a roller coaster since it hit the mainstream audience last year. The company quickly grew from 1.5 million to 2 million customers in less than a month. However, MoviePass went downhill after critics claimed that its growth was too fast, forcing the company to shut down for a short time after the company ran out of money. The company later stated that it was profitable, but then suspended the service, supposed to run on its mobile application. He says now that he's "restored [service] to a significant number of our current subscribers. "
According to an April internal data leak, the number of its customers has increased from three million to about 225,000 subscribers. And just this month, MoviePass would have changed users' passwords to make access difficult for customers who use the service intensively.
Hussain stated that the company was negligent in leaving unencrypted data in an accessible and exposed database.
"We continue to see businesses of all sizes using dangerous methods to store and process data from private users," Hussain told TechCrunch. "In the case of MoviePass, we wonder why internal technical teams would ever be allowed to see such critical data in plain text – not to mention the fact that the dataset was exposed to the public by anyone," did he declare.
The security researcher stated that he found the exposed database using his company's web-mapping tools, which allow viewing of password-protected databases connected to the Internet and identifying the owner. The information is disclosed privately to companies, often in exchange for a bug bonus.
Hussain has always found exposed databases. In recent months he has discovered one of Samsung's development labs on the Internet. He also uncovered a main exposed database belonging to Blind, an anonymized workplace social network, exposing data from private users.
Read more:
[ad_2]
Source link