Pornhub said to be compromised, shell access available for $1,000

On Saturday evening, an underground researcher running the 1×0123 Twitter account offered command injection abilities and shell access to a subdomain on Pornhub for a mere $1,000 USD.

See updates at the bottom of this story. On Sunday evening, Pornhub called this incident a hoax.

The offer included two images in order to demonstrate access to the Pornhub server, and when asked how the shell was uploaded, 1×0123 said a vulnerability in the user profile script that handles images enabled the shell’s upload.

However, 1×0123 stated the user profile flaw isn’t related to the recently disclosed ImageMagick vulnerability.

Once the shell is uploaded, browsing to the proper URL will open it and enable command injection. In short, if someone pays for access, they’ll have full control over the environment.

The person making the offer on Saturday is the same person who offered shell access to the LA Times website in April, after a vulnerable WordPress installation was exploited. The LA Times confirmed the hack and later said the issue was resolved.

Shortly after the LA Times offer was made, 1×0123 disclosed an SQL Injection vulnerability on one of the servers used by Mossack Fonseca, the law firm at the center of the Panama Papers controversy.

The going price of $1000 is low considering anyone purchasing access would essentially control key parts of the server and any pages loaded from it. Pornhub sees more than 60 million daily visits, or roughly 2.1 million visits per hour.

Not to mention, reporting the root cause leading to the shell being uploaded could possibly fetch a much larger sum via Pornhub.

Pornhub announced their public bounty program on May 9, following a private, invite-only program managed by HackerOne.

At the same time, it looks as if 1×0123 anticipated this observation, by stating on Twitter, “I don’t report vulnerabilities anymore, go underground or go home.”

The last time 1×0123 was connected to a reported vulnerability was on April 10, 2016. It was then that Edward Snowden personally thanked 1×0123 for reporting a vulnerability in Piwik to the Freedom of the Press Foundation.

Salted Hash has reached out to both HackerOne and Pornhub for reaction and comments. This story will be updated should they choose to respond.

This story was corrected on May 15, the Pornhub bounty program is public and no longer invite-only.

Update:

On Twitter, a Pornhub spokesperson says it looks as if the shell is on a non-production server, but the company is investigating.

Update 2:

By Sunday afternoon, 1×0123, who goes by the handle Revolver when communicating via XMPP, confirmed that he had sold access to Pornhub to three people.

“2 guys with shell, 1 guy for a command injection script,” he told Salted Hash.

Pornhub contacted Revolver for more information. He offered to share those details, and help patch the vulnerability that allowed such access, for total cost of $5,000 USD. It isn’t clear if the adult entertainment giant agreed to those terms.

Update 3:

On Sunday evening, Pornhub issued a statement calling the incident a hoax, stating the methods described by Revolver were not possible. At first, the company thought a test server, or a non-production server was targeted, but the website later determined that nothing at all was compromised.

When asked for details on why the methods used were invalid, a spokesperson said that they worked with Revolver.

He provided a copy of the file used to dump the shell. According to Pornhub, that file cannot be uploaded to the server due to size restrictions on avatars.

“Even if the server would accept this fake image file we don’t allow code to be executed as an image extension. He provided conflicting information and left the chat shortly after,” the spokesperson said.

A company engineer added that the technique Revolver described was to upload an image file containing PHP code, but the servers are not configured to execute PHP, and so the attack would fail.

When asked if Pornhub could confirm if they paid for Revolver’s assistance, the spokesperson could not.

The full statement is below:

“The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.

“The safety and security of our users is Pornhub top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for bounty as high as 25,000$.”