A hacker that goes by the nickname of Revolver (@1×0123 on Twitter) supposedly sold today access to Pornhub servers, asking for $1,000 for shell access and command injection capabilities.

In less than 20 hours, Revolvers announced his followers that someone contacted him, and he sold the exploit (this tweet was later deleted).

Pornhub said the hacker didn’t gain access to a production server

According to clues he left in Twitter conversations, Revolver said he discovered a vulnerability in the script that handles image uploads for user profiles, which he used to upload a webshell on Pornhub’s servers, which in turn allowed him to get command injection capabilities.

His exploit came a week after the ImageTragick vulnerability began making victims in the same manner, but Revolver mentioned his exploit did not use ImageTragick.

Pornhub responded on Twitter 15 hours later, saying they were looking into it, but “it doesn’t seem like access was gained to a production server.”

Exploit came four days after Pornhub announced a bug bounty program

Pornhub has between 30 and 60 million daily visitors and the service would be a valuable target for any hacker, allowing him instantaneous access to a large attack surface.

Revolver asked only for $1,000. Compared to the prices of exploits exchanged on hacking forums and Dark Web markets, the hacker’s offer is a bargain.

Four days ago, Pornhub also launched a bug bounty program, and an exploit like this would have netted Revolver much more than $1,000. After posting his tweets announcing the sale, the hacker also tweeted out he doesn’t participate in bug bounty programs anymore.

Revolver (1×0123) has made a name for himself in the exploit market

Revolver already made a name for himself after he discovered an SQL injection flaw in one of Mossack Fonseca’s servers, the company from where the Panama Papers data breach originated.

Additionally, in the past few weeks, the hacker also sold data stolen from Naughty America servers, and he also sold an exploit that granted access to the backend panel of the LA Times.

His Twitter timeline is a showcase of hacks and exploits found in the Web servers of companies such as Telegram, SourceForge, the New York Times, Outlook.com, the US Army, and NASA.

Revolver also did some good deeds when he informed Edward Snowden of a blind XSS (cross-site scripting) in the Piwik self-hosted analytics service used on the Freedom of the Press Foundation website, a project the US whistleblower is involved. Snowden thanked him personally in a tweet.

Hacker announcing he's selling access to one of Pornhub's servers

Hacker announcing he’s selling access to one of Pornhub’s servers

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲