That 19-Year-Old Hacking PornHub And Selling Control Access Was A Hoax, So Count Your Stars Tonight

by 2 years ago

pornhub hack hoax

Yesterday, we reported that a 19-year-old hacker, whose alias is “Revolver,” had hacked into PornHub in response to a recent Bug Bounty program the site launched to solicit hackers and researchers to find potentially harmful security flaws in the system.

The methods Revolver described he allegedly used would have put him in the driver’s seat for the site’s main controls – something startling to think of for a site accessed by millions each month…some more routinely than others, if you catch my drift. Revolver at one point stated he had even sold access to the site’s control panel for a mere $1,000.

Luckily, it seems that this whole ordeal was a hoax. PornHub slid into our DM’s late last night to give us the [phenomenal] news that the site was not, in fact, compromised – something with ramifications for all of us, obviously.

Updates of how PornHub got to the bottom of this were shared with the original publication that broke the story of the porn magnate getting made, CSOnline, and the whole scenario is a pretty fascinating read to be honest.

On Twitter, a Pornhub spokesperson says it looks as if the shell is on a non-production server, but the company is investigating.

Update 2:
By Sunday afternoon, 1×0123, who goes by the handle Revolver when communicating via XMPP, confirmed that he had sold access to Pornhub to three people.

“2 guys with shell, 1 guy for a command injection script,” he told Salted Hash.

Pornhub contacted Revolver for more information. He offered to share those details, and help patch the vulnerability that allowed such access, for total cost of $5,000 USD. It isn’t clear if the adult entertainment giant agreed to those terms.

Update 3:
On Sunday evening, Pornhub issued a statement calling the incident a hoax, stating the methods described by Revolver were not possible. At first, the company thought a test server, or a non-production server was targeted, but the website later determined that nothing at all was compromised.

When asked for details on why the methods used were invalid, a spokesperson said that they worked with Revolver.

He provided a copy of the file used to dump the shell. According to Pornhub, that file cannot be uploaded to the server due to size restrictions on avatars.

“Even if the server would accept this fake image file we don’t allow code to be executed as an image extension. He provided conflicting information and left the chat shortly after,” the spokesperson said.

A company engineer added that the technique Revolver described was to upload an image file containing PHP code, but the servers are not configured to execute PHP, and so the attack would fail.

When asked if Pornhub could confirm if they paid for Revolver’s assistance, the spokesperson could not.

Essentially, if the internet was a giant poker table, PornHub just called Revolver’s bluff, which, if we’re being honest, must’ve been a pretty compelling one at that. Dude recently got a shoutout from Edward Snowden for finding vulnerabilities in the Freedom Of The Press foundation’s architecture.

And he also uncovered an SQL injection vulnerability on one of the servers of Panamanian law firm Mossack Fonseca, which finds itself at the center of the recent Panama Papers controversy.

PornHub also released a statement via Twitter letting users know all is well in pornland.

As well as one in a press release, reiterating the lofty rewards at stake for its Bug Bounty program.

“The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.

“The safety and security of our users is Pornhub top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for bounty as high as 25,000$.”

Revolver later did delete his Tweet claiming access to the website was pawned off of a mere grand. Phew. All is well in the kingdom tonight.


TAGShackingpornhubRevolverUnderground researcher

Join The Discussion