
Mr. Robot Blind SQL Injection Vulnerability - cujanovic
https://corenumb.wordpress.com/2016/05/14/mr-robot-blind-sql-injection-vulnerability/
======
alexc05
It's a great show but, also a fiction.

One would not necessarily expect that it was the actual Mr. Robot who created
the website for the show. In fact I'd expect it to be a relatively junior
agency.

Which would mean they've got QA & security process to match.

I'd also suspect that as an overwhelmingly awesome show that glorifies
hackers, they're probably a relatively "safe" target.

I mean, we're talking the game of thrones of computer nerd shows here...

~~~
FussyZeus
Or attracts hackers. ;)

Nevertheless I find it more telling in terms of what the given company is
about by their response to being shown a vulnerability than necessarily
writing perfect software every time.

------
d33
I'm always worried about where is the line with this kind of pentests. I
assume that it wasn't ordered by the site owner and even though the author
clearly did the webmaster a favor... couldn't he get in a trouble by
sqlmapping random sites?

~~~
jvehent
Sites operators should reward responsible disclosure, not get researchers into
trouble. Bug bounties are a good way to do that. Unfortunately, there are
still people out there who don't understand their true value.

~~~
user_0001
I broke into your house whilst you were on holiday. Didn't you realise that I
could smash your window and climb in?

Here is a box of all your valuables. Reward please

~~~
cayal
To continue your analogy, 1000 other potential robbers are trying to get in
every day, you are virtually always on holiday or otherwise outside the house,
and the window was voice-activated. The intruder said a well-known special
phrase which caused it to open. The expectation is that you've checked the
windows, door, lock, and any other potential openings yourself to make sure
they can't be entered like that. So yes, I'd say the person who doesn't take
the valuables and run is doing you a huge favor.

------
taneq
But did you delete it? If you deleted it, we got nothing to talk about.

------
aaronwidd
I was actually hoping this was going to be a story about a very clever
marketing campaign

~~~
yellowapple
Same. This would've been the perfect opportunity for some kind of Easter Egg.

------
jbaviat
The mother of all web vulns - yet I don't recall of much SQL injections in the
show, this may land in season 2 ;) Anyway, if you want a reliable SQL
injection protection, I suggest you try Sqreen
([https://sqreen.io](https://sqreen.io)) - PHP support is coming soon!

~~~
nikcub
recommending a product from a company you work for without disclosing it is
icky

