CraveTV Hacking, eh!

Executive Summary:

CraveTV (part of Bell Canada), has failed to properly secure their Video On Demand (VOD) streaming service. Which makes it easier for hacker to steal customers’ login credentials, credit cards, and personal information. CraveTV operates their website without a SSL Certification (HTTPS), and if there is a HTTPS certification, then CraveTV support staff will advise to just remove it, in order for CraveTV to work.

Background:

CraveTV was founded in 2014 by Bell Canada, to compete against Netflix and Amazon, by buying the rights to the majority of HBO and Showtime content in Canada. CraveTV functions very much like Netflix and Amazon by suggesting shows to watch to and even creating it’s own content. (https://en.wikipedia.org/wiki/CraveTV)

The Hack:

The problem revolves around the lack of use of an HTTPS certification.

By not using a HTTPS certification, the data is not encrypted, which means that anybody with the most basic of computer skills could spy on what a person doing while on the CraveTV website, whether it’s knowing the embarrassing shows secretly being watched or login information, since the login part of the site is not secure either. Using a simple hacking tool like WireShark, anyone can view the login information, since the packets will not be encrypted and provided the customer doesn’t use a VPN. Once the login information is obtained, all of the credit card and personal information a customer has on file, can easily be accessed under the Accounts section.

And don’t worry about 2-factor authentication, they don’t offer that, because who would want to make sure all their credit card data and personal information is secure?

Another big problem with CraveTV is that they send their customers, emails with links to the site where they have to login. As oppose to just asking them to go to their website and login.

This practice is a security risk since it is a common tactic for hackers to put a link in an email for a victim to click on, which allows hackers to install malware, spyware or use hacking tools to steal a customers’ login credentials and/or session id.

But the troubles don’t end there, since it appears CraveTV is aware of the security problems and they encourage it???????

How Canadian, eh?

And lastly, if a person still choose to use CraveTV, good luck trying to get it to work, since CraveTV does not work on computers, which sucks for the millions of people who don’t have an AppleTV or Bell Canada as their service provider. There is even an entire reddit section for this Canadian problem.

Conclusion:

It appears that Bell Canada, is eager to beat Netflix and Amazon in the VOD streaming market, so they are most probably pouring all their money into funding the content of their service. However they have failed to ensure that their service works and is secure. Which is a very good indication that they are cutting costs at every corner, in order to help make the VOD streaming division profitable.