MPAA Website, Now With Torrents

Written by Ernesto on May 02, 2009 

If it was up to the MPAA, every website with links to copyright infringing files would be banned from the Internet. Perhaps they should take a closer look at their own website first though, since it’s vulnerable to an XSS attack, making it possible to browse The Pirate Bay directly from the MPAA website.

It is no secret that the MPAA and other anti-piracy outfits rather spend their money on lawyers than web-designers or coders. Unfortunately for them this sometimes leads to awkward situations. For example, it turns out that the MPAA website is vulnerable to XSS attacks allowing the public to inject images, frames and all sorts of random code into the site.

About a year ago the RIAA website suffered from a similar vulnerability and was wiped clean. The RIAA fixed the problem within a few hours and eventually all the ‘lost’ content was restored, but not before thousands of people had fun with it.

The XSS vulnerability on the MPAA website was found on the about page where visitors can submit their favorite movie. In the screenshot below it says “thank you for taking the time to share your favorite movie,” which is the actual text that people get to see when they fill out the form. The Pirate Bay logo and the links to the latest movie torrents are obviously not supposed to be there.

It is “a proof of concept that demonstrates an XSS attack on mpaa.org website,” writes Vektor who covered the details in a blog post, adding that it should be taken as a joke. No lies there, as it made us smile indeed.

MPAA.org featuring The Pirate Bay

mpaa xss

Previously: Italian Pirate Bay Trial in the Making

Next: Record Label Sponsors BitTorrent Site isoHunt

56 Responses

1 May 03, 2009 at 00:08 by Duo

Mpaa with torrents?

Nu uh :P

2 May 03, 2009 at 00:09 by Torrentia

heh serves them right. First! (Now to go to learn about piracy first hand from the Mpaa website)

3 May 03, 2009 at 00:10 by Rabbit80

Lol!

4 May 03, 2009 at 00:11 by FleazZz

Wow, just wow.

5 May 03, 2009 at 00:11 by Rabbit80

Maybe they should sue themselves in a Swedish court with a corrupt judge?

6 May 03, 2009 at 00:19 by celesto

MPAA *lol*

7 May 03, 2009 at 00:26 by Zush

If only there was a way of dismantling that organization…

8 May 03, 2009 at 00:40 by ReUpLd

bit of a non story here really

9 May 03, 2009 at 00:48 by Sol

*evil plan*
Do you think, If someone posted some copyrighted material to the MPAA website using this exploit, would a DCMA takedown notice take the whole site down???? ;)

10 May 03, 2009 at 00:50 by Rabbit80

Of much more interest is the fact that wolverine just grossed $35 million on its first day – so piracy really harmed sales huh?

http://www.p2pnet.net/story/21207

11 May 03, 2009 at 00:58 by smell my cheese

i filled that form in with ‘ steal this film’ better than all that hollywood crap!!

12 May 03, 2009 at 02:09 by Elite P2P

LOL! This is so ironic. A hacker made them become promoters of the very thing that they are trying to abolish.

13 May 03, 2009 at 02:49 by d2lv

Money Is Truly the one thing on this planet that really does Talk.

14 May 03, 2009 at 02:52 by Guest

@5

Thats funny

15 May 03, 2009 at 02:59 by me
16 May 03, 2009 at 03:40 by Anon

Can’t really do much

17 May 03, 2009 at 03:56 by LMFAOOOOOOO!!!!!!!

EPIC!

18 May 03, 2009 at 03:59 by LMFAOOOOOOO!!!!!!!

I just had a thought … wouldn’t it be funny if that douche “Reasoned Mind” was the one really behind this? Hahaha… <3

19 May 03, 2009 at 04:38 by Dazzer

Unfortunately this will now be counted as a Malicious Attack on MPAA, and they’ll now just have more “evidence” to give to the judge.

20 May 03, 2009 at 04:40 by Anonymous

lol were is reasoned mind in all of this

21 May 03, 2009 at 05:28 by Boolean

quick sue them somebody!

22 May 03, 2009 at 05:54 by ZarathustrA

Dazzer, nobody is as stupid as you’re pretending to be. Just stop. :)

23 May 03, 2009 at 06:12 by RobbingHood

Fail for the MPAA again!

What use have I for their site?

Anti-Piracy? Thats for TF’s for.

Age ratings? Sorry, but parents should be there for that.

Reasearch/Stats? I’ll just look at IMDB/’teh internets’ for that thank you.

Issues? None of any interest at all, apart from the issue that they are a bunch of leeching corporate scumbags.

About us?!! Can’t some nice h4ck3r’s please plaster something appropriate up there?

So, having TPB search on there…WIN.

24 May 03, 2009 at 06:23 by lol

MPAA <3 TPB

25 May 03, 2009 at 06:29 by c0rr0sive

Watched the new Xmen movie… Once it hits bluray, I will be downloading… Paid $14 for the ticket… That is the cost of a dvd so.

26 May 03, 2009 at 07:53 by Neo

Hahaha. Oh man, this is going on my Facebook.

27 May 03, 2009 at 08:06 by George

Did anyone else notice the torrents that are listed?

BSDM

28 May 03, 2009 at 08:17 by Terminator

Reasoned Mind will have a lot of trouble reasoning with his mind whether they should sue themselves or not. LOL! . The Pirate bay should sue them for illegally posting links to their torrents without proper approval.

29 May 03, 2009 at 08:19 by BritSwedeGuy

Now the MPAA has to sue itself and cause the universe to disappear.

30 May 03, 2009 at 09:51 by someone

lol nice :)

31 May 03, 2009 at 10:08 by netwiz

imao,that bug still works fine…so anybody want to fix it ?

32 May 03, 2009 at 10:57 by St0fzguier

haha pwn3d

33 May 03, 2009 at 11:39 by Benjamin the Donkey

Dont forget. Anyone who makes money off of prostitutes is a pimp.
Except the IRS!

34 May 03, 2009 at 13:55 by Anonymous

great act in response to the anti-piracy group

35 May 03, 2009 at 14:05 by Dem fan

Shit! It still works:)….

36 May 03, 2009 at 14:17 by h33t

well done guys

show them they know nothing about the technology they are messing with

http://www.h33t.com knows the missing pirate bay millions will be put to good use fighting this war against ugly imperialism on the free internet

37 May 03, 2009 at 14:26 by hiphop

This is a complete non-issue, its something each user can do as an exploit to make a webpage shows up as a frame in their site. This article is as stupid as if i saved a page of torrentfreak as a file, replaced an image with porn, and wrote an article about how torrentfreak has porn on the site.

In the past ernesto used to have great articles, but they have gone cmpletely downhill into mindless drabble.

From diguising the wyzo 3 advertisement to claiming pirates are the largest paying consumers of music, he writes articles with deceptive topics and topics when there is nothing real happening merely to fill his quota of two articles a day.

I read torrentfreak for news, not because somebody can make an iframe show up on a website.

38 May 03, 2009 at 14:31 by Anonymous

Somebody should make their “about us” page goatse.

39 May 03, 2009 at 15:53 by dnA

No matter how many hacking attempts are made against MPAA & their allies, or exploiting their vulnerabilities, they are currently gaining a favourable position from the governments of different countries. So what do we see ourselves in future.
1.Any activity(legitimate/illegitimate) done using P2P will be called a “criminal activity”. See its already started.(ref. BBC documentary: some days back).
2.ISP’s will be forced to reveal any personal information and innocent people will be harrassed because these guys always have low technical know-how.

40 May 03, 2009 at 16:03 by Internet

It saddens me to see the Pirate Bay go down. But really MPAA? You can’t control what goes around on the internet… If you outlaw torrents then something better is going to come around and it’s going to be TWICE as hard to make that illegal. Everything on the net should be free because no one really owns the internet.. Oh yeah, your sales are down, my ass… I can only hope this gets better..

41 May 03, 2009 at 16:43 by Vektor

@41: XSS is their failure to escape user input, not a hacking attempt.
@37: This is a bug in their website, not some edited page that is loaded in a browser. They are easy to be found by anyone and it doesn’t take more than a few seconds to correct them. Do you prefer to be warned about them here or… whould you like to install some new browser plugin / codec to see their website ?
@16, @9: The screenshot is funny but the bug behind it is presented as a warning. MPAA is not affected by this as much as normal users can be. Someone with bad intents can use it to do some evil things like to send fake legal threats or takedown requests that ask you to download infected “legal documents” linked directly from mpaa.org .
Normally we send an e-mail or make a support ticket to warn about these errors and wait until they get fixed before making them public. In this case we haven’t seen any e-mail address on their website or the name of the person or company who designed it. Hiding that information ( http://torrentfreak.com/mpaa-we-were-only-testing-forest-blog/ ) is not the right thing to do especially when problems like this are found.

42 May 03, 2009 at 18:55 by Hacker/pirates of the world UNITE

WHY WOULD YOU TELL THEM

43 May 03, 2009 at 19:42 by The Laugher

Tee hee hee!

44 May 03, 2009 at 19:51 by Vektor

@44: No matter how hated they are, this bug can be used against anyone. It’s very easy to use something like this to infect others with trojans (”Click here to install MPAA Genuine Advantage Tool”) / steal credit card details / bypass content filters / send fake takedown requests for legal content / etc.
After all, their website is “safe” in all content filters and firewalls and it isn’t blacklisted for spam / malware / etc. Pages from TPB were marked “unsafe” and blocked for less ( http://torrentfreak.com/the-pirate-bay-user-pages-blocked-by-google-090315/ ).

45 May 03, 2009 at 20:00 by rockyz

sue the MPAA!

46 May 03, 2009 at 21:33 by demonseth17

hahaha…I hope this made them suffer a little bit…damn aligators, they think they will put in jail the pirate bay admins just like that? haha…damn I should have known I would have help! XD

47 May 03, 2009 at 21:33 by demonseth17

hahaha…I hope this made them suffer a little bit…damn aligators, they think they will put in jail the pirate bay admins just like that? haha…damn I should have known I would have help! XD BTW MPAA sucks!

48 May 03, 2009 at 21:35 by demonseth17

I double post X( sorry I just tried too add something before it was sent…my mistake XD

49 May 04, 2009 at 02:55 by Reasoned Mind

That’s pretty funny. Great job to the hacker

50 May 04, 2009 at 06:35 by any682546

very good!

51 May 04, 2009 at 09:47 by Reverend Raging Rabbit

What Happen?
They Set Us Up The Bomb!

Yeah, that’s quite nice. :-)

52 May 04, 2009 at 19:40 by haha

Added MPAA site to my Torrent-Bookmarks folder. :D

53 May 04, 2009 at 21:58 by $hadow

This is getting funny each time it passes :>

54 May 04, 2009 at 22:24 by trancefreak

Mpaa – THE BEST TRACKER I THE WORLD!

55 May 06, 2009 at 01:25 by herbert

Ja, das ist meine echte email-adresse! Heute Nacht hatte ich das “Vergnügen” mit einem echten Jünger der mainstream-Presse zu kommunizieren. Das Problem, ich kenne diesen Menschen schon mein halbes Leben… Heute NAcht, wurde mir bewußt, dass Menschen, die für sich selbst denken können, in dieser Gesellschaft unerwünscht sind! Das hier ist kein Gelaber von jemanden der zu viel Zeit hat – nein, das hier ist eine Anfrage an Leute, die die Fähigkeit haben, jemanden zu folgen, der diese Gesellschaft in die Knie zwingen wird. Ich will hier keine grauen Mäuse hören – ich will Menschen, die bereit sind dieses Land, durchwachsen von Korruption, brennen zu sehen. Dieser Text ist kein Scherz, kein Spaß – dies ist die letzte Möglichkeit Freiheit zu erkämpfen! Danke.

Yes, that is my real email-address! Tonight, i had the “fortune” to meet a real believer of the mainstream-press. The problem, i knew this men half my life… Tonight, i realized, that people, who think for themselfes, are no longer accepted in this society. This is no chatter of someone with to much time on his hands – no, this is an outcry to people, who have the ability, to follow a movement, that will bring down this system to it’s knees. I don’t want to hear them grey mice complaining – i wan’t people, who whant this land, rotten with corruption, to burn. This text is no joke, no scam – this is the last opportunity to fight for freedom! Thanks.

I am sorry for my bad english – please, correct that text and copy it. Thank you!

56 May 06, 2009 at 01:53 by AHappyPirate

Listen ThePirateBay.org Ownz you and that is all you need to know

Responses are closed

All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.