Pornhub said to be compromised, shell access available for $1,000

[steven36]

Hacker used flaws in the user profile system to gain access

 

 

On Saturday evening, an underground researcher running the 1x0123 Twitter account offered command injection abilities and shell access to a subdomain on Pornhub for a mere $1,000 USD.

The offer included two images in order to demonstrate access to the Pornhub server, and when asked how the shell was uploaded, 1x0123 said a vulnerability in the user profile script that handles images enabled the shell's upload.

 

However, 1x0123 stated the user profile flaw isn't related to the recently disclosed ImageMagick vulnerability.

 

Once the shell is uploaded, browsing to the proper URL will open it and enable command injection. In short, if someone pays for access, they'll have full control over the environment.

 

The person making the offer on Saturday is the same person who offered shell access to the LA Times website in April, after a vulnerable WordPress installation was exploited. The LA Times confirmed the hack and later said the issue was resolved.

 

Shortly after the LA Times offer was made, 1x0123 disclosed an SQL Injection vulnerability on one of the servers used by Mossack Fonseca, the law firm at the center of the Panama Papers controversy.

 

The going price of $1000 is low considering anyone purchasing access would essentially control key parts of the server and any pages loaded from it. Pornhub sees more than 60 million daily visits, or roughly 2.1 million visits per hour.

 

Not to mention, reporting the root cause leading to the shell being uploaded could possibly fetch a much larger sum via Pornhub.

 

Pornhub announced their bounty program on May 9, but it's a private, invite-only program managed by HackerOne. As such, it isn't clear if there would've been a way to report this flaw and collect a reward to begin with.

Moreover, it looks as if 1x0123 anticipated this observation, by stating on Twitter, "I don't report vulnerabilities anymore, go underground or go home."

 

The last time 1x0123 was connected to a reported vulnerability was on April 10, 2016. It was then that Edward Snowden personally thanked 1x0123 for reporting a vulnerability in Piwik to the Freedom of the Press Foundation.

 

Salted Hash has reached out to both HackerOne and Pornhub for reaction and comments. This story will be updated should they choose to respond.

 

The Source