14 DAY TRIAL // A hacker who goes by the nickname of Revolver (@1x0123 on Twitter) supposedly sold today access to Pornhub servers, asking for $1,000 for shell access and command injection capabilities.
In less than 20 hours, Revolvers announced to his followers that someone contacted him and he sold the exploit (this tweet was later deleted).
Pornhub said the hacker didn't gain access to a production server
According to clues he left in Twitter conversations, Revolver discovered a vulnerability in the script that handles image uploads for user profiles, which he used to upload a webshell on Pornhub's servers. This, in turn, allowed him to get command injection capabilities.
His exploit came a week after the ImageTragick vulnerability began making victims in the same manner, but Revolver mentioned his exploit did not use ImageTragick.
Pornhub responded on Twitter 15 hours later, saying they were looking into it, but "it doesn't seem like access was gained to a production server."
Exploit came four days after Pornhub announced a bug bounty program
Pornhub has between 30 and 60 million daily visitors, and the service would be a valuable target for any hacker, allowing them instantaneous access to a large attack surface.
Revolver asked only for $1,000. Compared to the prices of exploits exchanged on hacking forums and Dark Web markets, his offer is a bargain.
Four days ago, Pornhub also launched a bug bounty program, and an exploit like this would have netted Revolver much more than $1,000. After posting his messages announcing the sale, the hacker also tweeted out he wouldn't participate in bug bounty programs anymore.
Revolver (1x0123) has made a name for himself in the exploit market
Revolver made a name for himself after he discovered an SQL injection flaw in one of Mossack Fonseca's servers, the company from where the Panama Papers data breach originated.
Additionally, in the past few weeks, the hacker also sold data stolen from Naughty America servers, as well as an exploit that granted access to the backend panel of the LA Times.
His Twitter timeline is a showcase of hacks and exploits found on the Web servers of companies such as Telegram, SourceForge, the New York Times, Outlook.com, the US Army, and NASA.
Revolver also did some good deeds when he informed Edward Snowden of a blind XSS (cross-site scripting) in the Piwik self-hosted analytics service used on the Freedom of the Press Foundation website, a project the US whistleblower is involved in. Snowden thanked him personally in a tweet.
UPDATE: Pornhub has told Softpedia that the entire affair is nothing but a hoax and provided the following statement for its users.
“ The Pornhub team investigated the claim from the hacker named 1x0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events. The safety and security of our users is Pornhub's top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for bounty as high as 25,000$. ”
On background: When Revolver advertised and sold the LA Times exploit, the LA Times admitted having its systems compromised. When Revolver advertised the SQL injection flaw on the Mossack Fonseca website, the company was not available for comment, and nobody ever saw the exploit. The media agency that reported the Naughty America data breach never contacted the adult entertainment company to verify the validity of the leaked data. In the case of Pornhub, nobody ever saw, or used, the exploit, so Revolver's claims may be (or not) a hoax.