Less than a week after announcing a new bug bounty program, the adult website Pornhub is refuting claims that its web server was compromised by a hacker.
On Saturday (14 May), a hacker with the pseudonym Revolver posted screenshots on Twitter under the username @1×0123 which purported to show that he had exploited a vulnerability in Pornhub’s website and had shell access to a Pornhub subdomain, which he promised to sell to any bidder for just $1000.
https://twitter.com/1×0123/status/731622179922706432?ref_src=twsrc%5Etfw
The hacker’s tweets got the attention of infosec writer Steve Ragan, who quickly published a story on CSOonline.com reporting the alleged breach on Saturday.
Revolver told Ragan that he exploited a vulnerability in the Pornhub user profile image upload script, which supposedly allowed him to get “full control” over Pornhub’s server.
Claims of a breach can be difficult to verify, because if you did miss a successful cyberattack, it could take weeks of analysis to find out what happened.
But Pornhub responded on Sunday, saying that it investigated the hacker’s claim, and determined that it was a hoax.
https://twitter.com/Pornhub/status/732047231411486722?ref_src=twsrc%5Etfw
In a statement to CSOonline, Pornhub said the “attack described by the hacker is not technically feasible,” and no Pornhub systems were breached:
The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.
Revolver’s exploit involved uploading a fake image file with PHP shell code, but Pornhub said the file was too large, and its server is not configured to execute PHP anyway:
Even if the server would accept this fake image file we don’t allow code to be executed as an image extension.
Revolver has a history of boasting about his hacking skills.
Motherboard reported that Revolver is a 19-year-old “gray hat Moroccan hacker,” who previously claimed to have found vulnerabilities in the websites of the Los Angeles Times and Mossack Fonseca, the company at the center of the Panama Papers controversy.
He did get credit for reporting a vulnerability in the website of Edward Snowden’s Freedom of the Press Foundation, which earned him a public “thanks” from Snowden himself.
In March, Revolver launched a website called VNC Roulette that showed the IP addresses of thousands of computers that were exposed to hacking due to unsecured VNC remote access tools.
Revolver took down the website after a short time, saying that he had sold the list of hackable computers to some Russians for $30,000, according to Motherboard.
If Revolver really did find a vulnerability in Pornhub’s server, he might have tried to earn up to $25,000 in Pornhub’s bug bounty program.
But Revolver said he doesn’t report vulnerabilities anymore, tweeting:
https://twitter.com/1×0123/status/731627800814321664?ref_src=twsrc%5Etfw
Revolver’s response to having his hacking claims dismissed indicates he won’t be disputing Pornhub’s version of events.
https://twitter.com/1×0123/status/732247146322382848?ref_src=twsrc%5Etfw
I’m guessing Revolver won’t be staying silent for too long.
David Pottage
I would give some credence to the possibility of hacking the server via image upload because of the recently disclosed vulnerability in image magic.
About a year ago, while working as a web developer, I was writing a feature to allow users to upload profile pictures. As most users uploaded selfies from their camera phones, that where about 5 megapixels, and for the website the profile picture needed to be 200 pixels square, the first thing my code did was put it through image magic to scale the image.
In my case, I was quite defensive, and I did a number of checks to make sure it was relay an image, before allowing it near image magic, but if the developers at Pornhub where not so careful, I can easily see how their site could be compromised via a profile picture upload.
Steve
“Revolver’s exploit involved uploading a fake image file with PHP shell code, but Pornhub said the file was too large, and its server is not configured to execute PHP anyway:”
Did you overlook the last part of that statement, David?
Sootie
If you actually read the comments from Katie from pornhub on reddit she explains why it is not possible and how the devs have looked at the screenshot for the last couple of days scratching their heads because none of the server names or details posted match up with anything actually on the pornhub servers.