Surprise, Surprise: In Addition to an Unreliable Service, MoviePass Also Offers Poor Security for Its Customers' Data

MoviePass Data Leak

MoviePass could very well act as proof that not every good idea leads to success. The company was founded about eight years ago, and its business plan is based on what sounds like a brilliant concept. Subscribers pay a flat monthly fee and receive a special debit card that can only be used at cinemas that partner with MoviePass. They go to the said cinemas, pick the movie they want to watch and the showtime, and their debit card is automatically replenished with enough money to pay for the ticket. The users use the card and watch the movie.

In a word, it's Netflix for people who like to get off the couch every now and then, and for frequent moviegoers, it's a brilliant way of spending less on their hobby. While they are saving money, however, MoviePass is losing it.

Concerns about the sustainability of MoviePass' business model were first raised shortly after the service went online, and over the years, users were put through several changes in the available subscription plans which were supposed to improve the company's financial health. Despite all this, the balance sheets show that MoviePass is still losing money, and last year, the service was even stopped temporarily because the company had no money to pay its partners. More than a year after the outage, the financial woes are still serious, and MoviePass' future doesn't look very certain. Cash-related problems shouldn't be an excuse for putting users' privacy at risk, however, and unfortunately, a security researcher by the name of Mossab Hussein recently discovered that MoviePass has endangered the personal information of quite a few subscribers.

MoviePass leaves a server full of sensitive data without a password

Hussein discovered a database on one of MoviePass' subdomains that was accessible from anywhere in the world and was not protected by a password. The database, it later became apparent, was called "prod" (most likely, short for "production"), and new records were being added constantly which got Hussein to believe that it could contain real information of real MoviePass customers. He got in touch with TechCrunch's Zack Whittaker who took a look and tried to figure out what sort of data was exposed.

The unsecured database contained more than 160 million records, and although a large portion of them consisted of system logs, there was plenty of personal information as well. Whittaker took a sample of 1,000 records, cleaned the duplicates, and discovered that about half of what was left consisted of unique MoviePass debit card numbers and expiry dates. He also found records that held subscribers' personal credit card numbers, expiry dates, names, and postal information, and because it was a production database, new entries were being added all the time.

Apparently, the unprotected server didn't store any valid usernames and passwords, but it did contain logs related to unsuccessful login attempts. Whittaker tried to log in with the wrong credentials, and seconds later, the details he entered appeared in the database. The fact that wrong usernames and passwords were logged is somewhat strange. The fact that Zack Whittaker could see them is scary.

MoviePass didn't protect the information in any way

Unfortunately, leaving a database without a password is a rather common mistake nowadays. The consequences are often pretty devastating, but in the case of MoviePass, the potential damage could have been limited by some basic security mechanisms. Sadly, those mechanisms weren't implemented.

If we assume that recording the invalid passwords users enter is a good decision (a controversial question in itself), the company that does it must think about storing these details in a secure manner. As we have said time and again, the only truly secure way of storing passwords is by hashing them. MoviePass, however, decided to store the mistyped credentials in plaintext.

Nothing had been done to protect subscribers' credit and debit cards as well. Indeed, a small portion of the records held only the last four digits of the cards, but in most cases, all the information was available for the taking. It's unknown whether anyone managed to get to it before Hussein, but in his report, Zack Whittaker said that according to cyberthreat intelligence firm RiskIQ, the database was online for at least two months. TechCrunch's reporter asked MoviePass to confirm or deny this but received no response.

The company's overall reaction to the incident was far from ideal. Mossab Hussein was the first to try and disclose the problem. Because of the sensitive nature of the leaked information, he wrote an email directly to Mitch Lowe, MoviePass' CEO over the weekend, but he never heard back. After Zack Whittaker reached out, the database was quietly taken offline, but the company decided not to issue an official statement and disclose some important details around the leak like the exact nature of the exposed information, the number of affected users, and what sort of precautions will stop similar incidents from happening in the future. All these things remain unknown for now, which means that every single MoviePass subscriber should keep a close eye on their bank statements and act quickly if they spot something suspicious.

August 21, 2019

Leave a Reply