Unreleased Movies Potentially Exposed To Anyone With An Internet Connection.
Theres a website that the Motion Picture Association of America doesnt really want you to know about. Its located at http://awards-screeners.com. The reason for the hush-hush nature? Well, this site is apparently used as a hub for previewing unreleased films.
As you might have guessed, awards-screeners.com (and the company responsible for running it, Vision Media Management) had a data breach problem to deal with recently. Almost two weeks ago I called Visions office to inform them that a MongoDB database, possibly related to their site awards-screeners.com, was completely exposed to the public internet with no username or password required for access.
The biggest immediately recognizable concern within this database was the existence of around 160 usernames and hashed passwords for people whose email addresses end with domains such as @paramount.com, @disney.com, @warnerbros.com, @fox.com, and @spe.sony.com. The user table had a total of about 1,200 entries, but there is reason to believe that some amount of load-balancing test data was also included. The 160 “actual logins” number is what Vision Media claims to be accurate.
The passwords that accompanied these accounts were strongly hashed (bcrypt algorithm) and salted. While this means that no one would likely be able to quickly crack any of them, given enough time an attacker could still possibly compromise a few of these accounts. Statistically speaking, at least a few of these hashes were likely the result of a user that picked an easy-to-guess base password. These accounts are high-value targets, so the motivation is definitely there for someone to spend the necessary hash cracking time.
Upon me explaining the situation, the employee who initially answered my phone call immediately transferred me to Visions lead internal counsel. Thats fairly impressive. Usually I have to work my way through a few intermediate people before being passed to lead counsel of any company. Its good to see that Vision takes the issue of data breaches very seriously and has apparently trained their staff to act accordingly.
Once I explained the nature of the exposed database to this attorney, he quickly pulled Visions CTO, Doug Woodard, into the room and had me repeat what I just told him. They were baffled as to how this could happen but both immediately understood the potential seriousness of the situation. Doug, who would become my main contact at Vision, stepped out of the conversation shortly thereafter so that he could make some very urgent calls to figure out what was going on with this MongoDB instance.
Then came the awkward part. I continued, over the phone, to inform Visions internal counsel that I had actually downloaded a copy of the publicly exposed database. I say this was awkward because, for the first time in all my research efforts, it felt like someone thought I was trying to proposition an extortion scheme. I very quickly clarified that my intentions are completely noble and I am not in any way trying to extort or blackmail anyone. I think we were both relieved when that was made clear.
Our phone call ended with us exchanging contact information for future updates as Vision investigates the situation. After hanging up, I did a quick check to see if the database was still exposed—it was not. Dougs calls must have rattled some cages and quick action was taken to secure the data.
In the time since that initial phone call, I have spoken with and emailed Doug several times. Most recently these conversations have included an outside attorney, Tanya Forsheit, that Vision hired to represent them in the matter.
Tanya has very impressive credentials in the world of data breach law, which makes her initial email to me somewhat surprising. It stated, in part: “As we are investigating, I trust you won't make any public statements until we know more, and that you won't use any of the information that you improperly downloaded.” [emphasis added]
Heres the gist of my email response back to her:
I fully understand the duty you have to zealously represent the interests of your client. However, I would prefer that we be very careful regarding accusations of improper access. The bottom line is that, until my notification to Vision Media, this database was being published openly to the public internet through Amazon Web Services.
I know that Doug Woodard, CTO of Vision Media, has said there may have been a fault in Amazon's hosting platform. I find this scenario unlikely and I think you'll see that Amazon is fairly resistant to any suggestion of problems with their infrastructure.
The most likely explanation is that someone working for, or at, Vision Media made a mistake. It happens. But let's not shoot the messenger here. I like to think of myself as a fairly jovial, lighthearted person and I'm hoping that you and I can get along. That will be difficult if there are continued accusations of improper activity on my part.
I have cooperated with and contributed to data breach-related investigations conducted by the FTC, FBI, US Navy, HHS/OCR, US Secret Service, and other similar entities. Not a single regulatory or government agency I have interacted with has even suggested that what I do, downloading publicly published information, is improper.
After those initial tensions, all of my communications with Tanya and Doug have been very good, polite, and welcome. While I have not completely bought into Vision Media Managements explanations of how this data breach occurred (or their claims that the database contains a majority of harmless test data), it has at least not been an unpleasant experience speaking with them.
If they had not been so kind to me, or if they had tried to label me some kind of evil hacker, I might not have been inclined to send them a second breach notification report this past weekend:
Sorry to be the bearer of (more) bad news, but it appears there are at least a few more, fairly important, holes for Vision to plug. I did a little digging into the "test data", just to verify what you have been saying, and it has led me to more completely exposed data that gives an even greater understanding into how Vision Media's system works.
Specifically, I ran across the publicly exposed S3 buckets located at "http://mpaa.visionmm.resources.s3.amazonaws.com" and "http://travis.visionmm.resources.s3.amazonaws.com".
These documents, that are currently exposed to anyone with an internet connection, shed light on the interplay between Vision/Deluxe Media, Kaltura, Netflix, and other players.
I'm fairly certain this reaches beyond the implications of harmless junk data. I'm also certain that people with actual malicious intent could cause harm if they came across all of this data and set about some time to reverse engineer the authentication measures. There are implications far beyond salted hashes here (Kaltura "ks IDs" might ring a bell for Doug).
At this time, Im still waiting to hear back from Vision regarding the content of those S3 buckets (which included quite a bit of internal development documentation) as well as anything else that they may have found exposed while responding to this second notification.
Ill most likely be writing an update to this post once more is known. For now, take a gander at the screenshots above this post, head over to TorrentFreak.com for additional coverage, and watch this blog for more info.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org