Technology
MoviePass left customers’ credit card numbers exposed on unprotected server
MoviePass, the cinema subscription service that’s gone from “This is too good to be true” to “What is even going on I’m so tired” in a series of reinventions, has had another setback.
The company left thousands of customer card details, and tens of thousands of customers’ credit card details, visible on a server that was not password protected, according to a security research firm.
The database, which a reporter from TechCrunch observed “growing in real time,” contained more than 161 million records and counting, ranging from logging details generated in the course of a normal running day to unencrypted user details. Credit or debit card details were available, too, including card numbers, expiration dates, cardholder names, and billing addresses in plaintext.
MoviePass customer cards are basically MasterCard-issued debit cards; customers pay the monthly fee, and the service loads up the cards with the price of a movie ticket when a screening is booked, so subscribers can then buy them at the box office with the card.
(A MoviePass card could technically be used to make any debit purchase, users theorise, although it would get the account holder banned pretty swiftly.)
We verified the database as a live system by trying a set of unique but fake login credentials. Within moments, we saw our email address and password appear in the backend database.
I mean, the database was called “prod”. But y’know, good to check. pic.twitter.com/KXfaOU9PU0
— Zack Whittaker (@zackwhittaker) August 20, 2019
The breach was detected by systems developed by Dubai-based firm spiderSilk, and confirmed manually by the firm’s security team before they notified MoviePass, which did not respond.
Security researcher Mossab Hussein told Mashable while his team can’t tell for sure whether the database had been accessed by other parties, they estimate the number of credit cards that could be exposed in the dataset runs into the tens of thousands, in addition to around 50,000 MoviePass cards.
“Simple best practices should have prevented any of this from happening in the first place,” Hussein said. “But we see a lot of companies not worrying as much as they should, when it comes to ‘internal tools’ and ‘internal logging.’ And they justify this by saying something along the lines [of] ‘Oh, it’s only for internal use and analysis.'”
Mashable has contacted MoviePass’s parent company Helios + Matheson for comment on the exposure, including the reasons why the database was only taken offline after TechCrunch notified them of the issue and not when Hussein reached out over the weekend.
“We’ve seen companies that took 30 days to acknowledge a finding, and we’ve also seen companies that acknowledged and patched a finding within 60 minutes,” Hussein said. “But our position has always been very strict about this topic. Companies panic and respond in seconds if their apps are down … they should treat the safety of their customer data just the same.”
-
Entertainment7 days ago
WordPress.org’s login page demands you pledge loyalty to pineapple pizza
-
Entertainment6 days ago
‘Mufasa: The Lion King’ review: Can Barry Jenkins break the Disney machine?
-
Entertainment6 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment5 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment6 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment4 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment4 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment3 days ago
CES 2025 preview: What to expect