Awards-Screeners.com, a website used by major Hollywood studios to provide streaming access to movies for voters of the Oscars and other awards, was operating a user database that was publicly exposed on the internet until recently, according to a security researcher, who published his findings Friday.
As recently as two weeks ago, the website was operating a user database published openly on the public internet through Amazon Web Services, according to Chris Vickery, who works as a security researcher with security and utility software company Kromtech Alliance. In a blog post, he said he discovered about 160 usernames and hashed passwords associated with email addresses at Paramount Pictures, Disney, Warner Bros., 20th Century Fox and Sony Pictures Entertainment.
The site is operated by Valencia, Calif.-based Vision Media Management & Fulfillment, a media promotions company that in 2015 established Awards-Screeners.com in partnership with the MPAA and its six member studios. Vision Media’s site says Awards-Screeners.com provides an “industry-wide, streaming, digital, forensically watermarked awards screener platform for all Academy, BAFTA, guild, critics and awards voters.”
According to Vickery, the Awards-Screeners.com user database was secured shortly after he contacted Vision Media about the issue last month. But subsequently, he said, he also discovered publicly accessible data that “shed light on the interplay between Vision/Deluxe Media, Kaltura, Netflix, and other players.”
In a statement, the company said, “Vision Media Management & Fulfillment takes very seriously this information, and has taken steps to address the stated concerns. Vision is conducting its own investigation and has engaged an outside forensics firm, Stroz Friedberg… Vision is continuing to investigate and taking steps to prevent any similar incident in the future.”
Vision Media pointed out that the passwords in the database were “strongly hashed” and encrypted. In addition, it said, none of the exposed data contained any screener content or “sensitive personally identifiable information.” The company’s statement was provided by its outside law firm, Frankfurt Kurnit Klein & Selz.
While the passwords were encrypted, a persistent or knowledgeable hacker might have been able to gain access to the system, Vickery speculated. “Statistically speaking, at least a few of these hashes were likely the result of a user that picked an easy-to-guess base password,” he wrote.
Kromtech’s motives for publicizing the alleged security hole — after it was already apparently fixed — seem to be to promote its MacKeeper security software, which the company says offers anti-theft protection, a safe browsing utility, and an antivirus application. In the past MacKeeper has been accused of using shady marketing tactics, including popping up error messages to prompt users to buy the software. ZeoBit, the company that previously owned MacKeeper, reached a $2 million settlement to resolve a proposed class-action lawsuit last year. (Germany-based Kromtech, the new owner of MacKeeper, called the suit “frivolous” while it also said it would change the way MacKeeper is advertised and marketed.)
A Kromtech representative denied that the findings the company published about Awards-Screeners.com were for promotional reasons. “The MacKeeper Security Research Center aligns with our mission to promote cybersecurity and best practices for securing data,” the rep said.