Pornhub says hacker’s claim of taking control of web server is a hoax

Less than a week after announcing a new bug bounty program, the adult website Pornhub is refuting claims that its web server was compromised by a hacker.

On Saturday (14 May), a hacker with the pseudonym Revolver posted screenshots on Twitter under the username @1×0123 which purported to show that he had exploited a vulnerability in Pornhub’s website and had shell access to a Pornhub subdomain, which he promised to sell to any bidder for just $1000.

https://twitter.com/1×0123/status/731622179922706432?ref_src=twsrc%5Etfw

The hacker’s tweets got the attention of infosec writer Steve Ragan, who quickly published a story on CSOonline.com reporting the alleged breach on Saturday.

Revolver told Ragan that he exploited a vulnerability in the Pornhub user profile image upload script, which supposedly allowed him to get “full control” over Pornhub’s server.

Claims of a breach can be difficult to verify, because if you did miss a successful cyberattack, it could take weeks of analysis to find out what happened.

But Pornhub responded on Sunday, saying that it investigated the hacker’s claim, and determined that it was a hoax.

https://twitter.com/Pornhub/status/732047231411486722?ref_src=twsrc%5Etfw

In a statement to CSOonline, Pornhub said the “attack described by the hacker is not technically feasible,” and no Pornhub systems were breached:

The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.

Revolver’s exploit involved uploading a fake image file with PHP shell code, but Pornhub said the file was too large, and its server is not configured to execute PHP anyway:

Even if the server would accept this fake image file we don’t allow code to be executed as an image extension.

Revolver has a history of boasting about his hacking skills.

Motherboard reported that Revolver is a 19-year-old “gray hat Moroccan hacker,” who previously claimed to have found vulnerabilities in the websites of the Los Angeles Times and Mossack Fonseca, the company at the center of the Panama Papers controversy.

He did get credit for reporting a vulnerability in the website of Edward Snowden’s Freedom of the Press Foundation, which earned him a public “thanks” from Snowden himself.

In March, Revolver launched a website called VNC Roulette that showed the IP addresses of thousands of computers that were exposed to hacking due to unsecured VNC remote access tools.

Revolver took down the website after a short time, saying that he had sold the list of hackable computers to some Russians for $30,000, according to Motherboard.

If Revolver really did find a vulnerability in Pornhub’s server, he might have tried to earn up to $25,000 in Pornhub’s bug bounty program.

But Revolver said he doesn’t report vulnerabilities anymore, tweeting:

https://twitter.com/1×0123/status/731627800814321664?ref_src=twsrc%5Etfw

Revolver’s response to having his hacking claims dismissed indicates he won’t be disputing Pornhub’s version of events.

https://twitter.com/1×0123/status/732247146322382848?ref_src=twsrc%5Etfw

I’m guessing Revolver won’t be staying silent for too long.