Life imitated art after a hacker discovered a security hole in Mr. Robot's new promotional website for season two.
USA Network's hacking drama recently patched a security flaw on Tuesday that could have allowed a hacker to attack millions of fans that watch the popular TV show, according to the Hacker News.
A white hat hacker who only goes by the alias Zemnmez stumbled upon a cross-site scripting (XSS) vulnerability in Mr. Robot's promotional website, whoismrrobot.com, which doesn't use HTTPS encryption.
The second season, which premieres on July 13, has already been acclaimed by viewers and critics alike for its accurate representation of cybersecurity and real-life hacking. The new promo also features President Barack Obama giving a speech about a cyber threat facing the country.
The hacker contacted the show's creator Sam Esmail via email to report the XSS flaw.
The vulnerability unearthed by Zemnmez could have allowed malicious hackers to steal users' personal information on Facebook, as a section of the social network site contains a quiz that asks for a player's private data.
"A threat actor with XSS on whoismrrobot.com could [have used] the XSS to inject Javascript, which inherits the ability to read Facebook information from the fsociety game," Zemnmez told Forbes. "This could be done mostly silently if correctly engineered with a short popup window."
The security flaw could also be exploited by using some social engineering, such as phishing email, to get fans of Mr. Robot to click on a link, which would then run the Javascript code. This enables attackers to nab a Facebook user's full name, email address and photos in which they are tagged, Zemnmez said.
According to CGISecurity, other threats of cross-site scripting that attackers will inject into a vulnerable application to trick a user so they can steal data from them include VBScript, ActiveX, HTML or Flash. Hackers can also change user settings, cookie theft/poisoning or false advertising.
USA Network's owner NBCUniversal has confirmed that the website was patched on Tuesday evening, hours after Zemnmez notified Esmail of the issue.