Attacker Compromises Pornhub, Sells Shell Access for $1,000, Says Columnist

An anonymous reader writes: Four days after launching a bug bounty program, Pornhub is said to be compromised. The person responsible used a vulnerability in the user profile script that handles images (not ImageMagick) and is selling shell access on one of their servers for $1,000 USD. This is the second major website the hacker has shelled. Prior to Pornhub, they compromised the LA Times website.
CSO's security columnist notes that Pornhub "announced their bounty program on May 9, but it's a private, invite-only program managed by HackerOne. As such, it isn't clear if there would've been a way to report this flaw and collect a reward to begin with." In addition, on Twitter the attacker reportedly posted "I don't report vulnerabilities anymore, go underground or go home."

Re: Did you know?

Mainly I don't care because I hate everyone

Re:Did you know?

You again. Ssssssssssssssssssssssssssssssssssh!

Re:Did you know?

And now they've turned their Zionism towards Pornhub? What's their goal, to turn Pornhub into a Jewish porn site, because no one has given them one of their own?

Good. Call them on their publicity stunts.

Bug bounties are bogus. Don't make a lottery out of security.

Re:Good. Call them on their publicity stunts.

Why is this idiocy modded insightful?

Distractions

[jargonburn]

"I don't report vulnerabilities anymore; go underground or go home."

Perfect opportunity for a semicolon, imo. Such a waste of an opportunity!
/grin

"I don't report vulnerabilities anymore"

[phayes]

"I don't report vulnerabilities anymore, go underground or go home."

Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.

Re:"I don't report vulnerabilities anymore"

All those people that found critical vulnerabilities, reported them in a responsible way and got arrested for doing so are agreeing with him.

Re: "I don't report vulnerabilities anymore"

Then why go hunting for vulnerabilities at all?

Re:"I don't report vulnerabilities anymore"

"I don't report vulnerabilities anymore, go underground or go home."

Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.

As much as I get your feelings on this, the number of people who've been sued after reporting vulnerabilities makes me understand it.

Re: "I don't report vulnerabilities anymore"

Because I'd like to believe that deep down we want to help others instead of watching them suffer a breach.

Re:"I don't report vulnerabilities anymore"

[JaredOfEuropa]

The difference is: those other people did not deserve to be arrested. For finding a vulnerability and subsequently selling shell access, this guy does deserve it.

Re:"I don't report vulnerabilities anymore"

Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.

Maybe you haven't noticed, but those anti-"computer hacking" laws are entirely overbroad and completely vague. That means you could be made to feel the full force of those laws for jaywalking* while holding... anything with a "computer" in it. Like your smartphone, but hey, that microcontroller-equipped sudoku game also qualifies. All you need to make it stick is an experienced smooth-talker, which is apparently the point of lawyer school.

So while I understand your bloodthirsty sentiment, shoddy laws make everyone into targets of opportunity for promotion-hungry prosecutors, and this is a shoddy law. Worse, it came about exactly from abuse of "hacker", and "hacking", words that originally meant something quite entirely different from the complete nothing wrapped in vague fear and lots of posturing by the speaker they indicate now, and this veneration of undefined-but-present dread does not make for more competent prosecutors or law enforcement. All it does is make people feel even more powerless, like how you're asking for the perp to be reamed because apparently we can't get at him.

This isn't justice. It's stupidity wrapped in ignorance and tagged with a "guaranteed to shock" price sticker. Both pornhub and this asshole need liberal application of a cluebat until they see the light, or at least stars. Which is not quite the same thing as asking for them to be tut-tutted to the tune of ten to twenty without parole by clueless judges and confused juries. Sure you can hand out ten to twenty, but you can't do so and make it stick without understanding. As long as we keep worshipping ignorance, as computer security has us do, as evidenced by this little spat, we're not going to get anywhere and arseholes like this will continue to be arseholes in public regardless of what lawbooks we try and throw at'em.

* Which is not even a thing in this country.

Re:"I don't report vulnerabilities anymore"

For finding a vulnerability and subsequently selling shell access, this guy does deserve it.

True, he does deserve it. It's a sad state of affairs though. What used to be a common good (finding, documenting, and fixing security vulnerabilities) is now ruthlessly considered an evil. So much so that this kind of thing is much more likely to happen because the people who are more scrupulous are forced out of the field due to bad laws and overzealous corporations looking to eliminate any and all liability. We had a good thing and now it's gone. Replaced by distrust of those that are vulnerable, and those that would seek to exploit the vulnerabilities of others. But hey, the profits were worth it right?

Re: "I don't report vulnerabilities anymore"

[greenfruitsalad]

haven't you read the article? you can watch pornhub videos through libaa or in 256 colours with libcaca!!!

Re: "I don't report vulnerabilities anymore"

Because I'd like to believe that deep down we want to help others instead of watching them suffer a breach.

When you get arrested for reporting a vulnerability (i.e., you get arrested for "hacking") you may feel differently.

Re: "I don't report vulnerabilities anymore"

Would be cool if that site was defaced with a lot of porn and a bold text saying "Go f**k yourself"

Re:"I don't report vulnerabilities anymore"

So we pass tougher laws against computer crime,,,,,,,,,,, More people get burned fostering a culture of angst sentiment,,,,, So we pass tougher laws......... Wait a second wasn't this an anti drug commercial from the nineties. (but he was buying cocaine to work more so he could by more cocaine.) Jeez recursive loops seem to power life at every single turn.

Re: "I don't report vulnerabilities anymore"

Because I'd like to believe that deep down we want to help others instead of watching them suffer a breach.

When you get arrested for reporting a vulnerability (i.e., you get arrested for "hacking") you may feel differently.

In some cases "hacking" may only involve changing a number in the url,. resulting in access to someone else's online account. On reporting this they are accused of a criminal act..

Re:"I don't report vulnerabilities anymore"

So we pass tougher laws against computer crime,,,,,,,,,,, More people get burned fostering a culture of angst sentiment,,,,, So we pass tougher laws......... Wait a second wasn't this an anti drug commercial from the nineties. (but he was buying cocaine to work more so he could by more cocaine.) Jeez recursive loops seem to power life at every single turn.

You appear to be passing null values to your grammar parser. Did you mean to pass ellipses (...) instead?

naughty womans

I also would like to have numbers to all that naughty, horny girls watching Pornhub.

Re:naughty womans

Women don't enjoy porn - they claim to watch it to get the attention of men, and then run along with it when they've found a guy who's worth keeping and who himself enjoys porn.

Re:naughty womans

[dadelbunts]

Lol you obviously dont know women

People Actually Subscribe?

[sycodon]

I watch porn just like every other guy and not a small number of women.

But who actually pays to subscribe to something that is obviously available for free?

If they want me to pay money they'd better send one of those Nubile girls to my house.

Re:People Actually Subscribe?

If they want me to pay money they'd better send one of those Nubile girls to my house.

Holy shit, put a warning in front of that sentence. I almost spit out my coffee over my monitor.

Re:People Actually Subscribe?

I'll pay for quality stuff, but it's becoming more difficult to compete with free. Sadly the reaction of paid porn sites seems to be to raise subscription fees to make up for lost customers.

Re:People Actually Subscribe?

[Nemyst]

I could see people paying if someone came up with a Netflix for porn: cheap, access to lots of content and some high quality in-house stuff. As it is now, I don't understand, paid porn sites have prices that'd make even cable providers blush.

Re:People Actually Subscribe?

...a Netflix for porn

Agreed, there's money to be made here. I mean someone's already made "the Facebook for Sex", which must be doing well as I see ads for it everywhere, AND apparently there's plenty of singles in my area!

Re:People Actually Subscribe?

they have it check out www.xcritic.com for the links. don't subscribe so i'm not sure the names of the services

Re: People Actually Subscribe?

Vidbox.com, plus you can download drm free copies.

Re: People Actually Subscribe?

[brunes69]

You miss the point. This is less about them stealing your info, as using the Pornhub network (which by the way hosts many other port tube sites) to distribute malware (likely ransom ware as it makes a shit load of money) to all their free visitors.

It wuz haxx0rz!

Who else could possibly do the impossibru? Hollywood knows best!

Re:Did you know?

So... when are you going to blow your self up in the name of the religion of peace?

Re:Did you know?

[crashumbc]

Are you the new PK(something) guy?

not invite only. I see the submission form right n

[raymorris]

That last sentence is bogus. Their bug-bounty program isn't invitation only. I have the submission form open in another tab right now. The only requirement that differs from any other is that if your first four reports are bogus, they may stop paying attention to you (known as a signal requirement) .

No Thanks!

[FudRucker]

i can view all the porn i want for free, i wont pay some loser geek with leet hacking skills a thousand bucks for access,

Re:No Thanks!

[sumdumass]

lol.. You are not paying for porn, you are paying for a shell account which can allow you to access porn and a lot more. Hell, you can even set up your own website and host your own porn on their servers if your privileges are high enough.

Re: No Thanks!

"Hell, you can even set up your own website and host your own porn on their servers if your privileges are high enough."
I think you overestimate the number of people who would pay to see me naked. I would not make back that $1000 quickly

Re: No Thanks!

You could also deploy ransomware on pornhub which would get many installs. Or use their servers to crank out some fresh bitcoins.
Can you imagine the DoS attack pornhub servers could do? All that HD video streaming bandwidth could knock many sites down simultaneously.

Re:No Thanks!

I can't tell if this is trolling or not. Considering PornHub is a huge business and the entirety of it is basically their website/servers, I think 1000 dollars is pretty cheap.

But...

Is there anything worth hacking on Pornhub? Other than porn...

Re:Did you know?

Nice propaganda you have there.

I counter it with my own propaganda.

Ah ha!

I was just there, clicked the thumbnail top-left on the front page ("Hot in my country" etc), and got dragged over to a weelsof.trojan ransom site. Cleaning it up now. Stay away for a while!

"Back door" access always cost men more

[JoeyRox]

It requires a lot of cajoling or money or both.

Siterip?

So....do they actually host vids or just links?
If this is real there will be a humongous fucking (literally...) siterip on kat soon.

Sex

How much do u get for making your frist porn video

Re: Sex

Bus fare home, if you're a guy. Which I'm gonna go ahead and assume you are.

For girls, or particularly pretty twinks, it's probably around a couple of grand. Guys make more of they're willing to go gay for pay I hear.

Party Foul

[BitZtream]

Dude, not fucking cool.

Certain sites get immunity from hacking just because. They are privy to an unspoken rule where they get left alone because messing with them is like shitting in your own bed.

Thats what you did, you just shit in your own bed, and while I realize they have a section for that, its still not cool.

This is about as uncool as when rootshell was hacked. Again, shitting in your own bed.

Re:Party Foul

Oh look! It's the autism-hating Slashdot troll again!

Re: not invite only. I see the submission form rig

You can submit, but you gotta be invited to get the money.

Re:Did you know?

Christian heritage is far more likely to result in mass murder by a nation than Muslim heritage.

"Christian Heritage" ?
So YOU could be an Marxist Communist Atheist and genocidal maniac; but if your grandmother was a Christian, we blame all Christians?

making that up? Not in T&C I read

[raymorris]

Do you have a source for that, or are you completely making things up and then believing your own fiction, as so many Slashdotters sem to do? I don't see anything like that in the terms and conditions myself.

Re:Did you know?

[Noah+Haders]

I'm really only concerned about mass murder by another nation perpetrated on America, and I'm really only worried about contemporary attacks, not historical. so, I don't think your pan-global pan-historical averages hold up.

Bad Neo!

They're going to make your life hell after this...