Network Security, Vulnerability Management

UPDATED – Domo Arigato: White hat reports vulnerability on Mr. Robot website

It couldn't have been scripted any better. The new promotional website for season two of the USA Network's computer hacking drama Mr. Robot required an emergency patch after a white-hat hacker discovered a cross-site scripting (XSS) vulnerability, according to a report from Forbes.com.

The hacker, who goes by the palindromic alias Zemnmez, emailed series creator Sam Esmail to report the XSS flaw.

According to Forbes, Zemnmez stated that hackers could have used the vulnerability to inject malicious Javascript capable of stealing user information, including Facebook data that site visitors enter to participate in the website's quiz. The bad actor could have used a simple phishing technique to get victims to click on a malicious link that executes the Javascript code, Zemnmez added.

UPDATE 5/17: Another hacker who goes by the online alias Corenumb has blogged about finding a blind SQL injection vulnerability on the same Mr. Robot website after attempting to register an email address. The hacker reported the issue to the USA Network's parent company NBCUniversal, which patched the flaw just as it did in the previous instance.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.