A hacker που χρησιμοποιεί το ψευδώνυμο Revolver (@ 1×0123 στο Twitter) δήλωσε ότι πουλάει πρόσβαση σε διακομιστές του Pornhub, asking $1.000 for shell access and command injection capabilities.
In less than 20 hours, Revolver announced that someone contacted him, and sold the exploit (this tweet has been deleted).
According to Twitter, Revolver discovered a vulnerability in the script that handles the additions to the user profile image, which he used to upload a webshell to Pornhub's servers.
The exploit came a week after ImageTragick's vulnerability was announced, but Revolver said he did not use this exploit.
Pornhub responded on Twitter 15 hours later, stating that after investigations, “no server appears to have been accessedtreatments. ”
Pornhub has millions of daily visitors between 30 and 60 and the service will be a valuable target for any hacker.
Revolver only claimed 1.000 dollars to sell the exploit, and four days ago, Pornhub started a bug bounty program that pays exploits like Revolver far more than 1.000 dollars. But the hacker wrote that he is not involved in bug bounty anymore.
https://twitter.com/1×0123/status/731627800814321664
Revolver is already famous when it discovered a vulnerability that allowed SQL injection σε έναν από τους διακομιστές της Mossack Fonseca, την εταιρεία από όπου προήλθαν τα Panama Papers.