A hacker who uses το ψευδώνυμο Revolver (@ 1x0123 στο Twitter) δήλωσε ότι πουλάει πρόσβαση σε διακομιστές του Pornhub, ζητώντας 1.000 δολάρια για πρόσβαση shell και δυνατότητες έγχυσης εντολών.
In less than 20 hours, Revolver announced that someone contacted him, and sold the exploit (this tweet has been deleted).
According to Twitter, Revolver discovered a vulnerability in the script that handles the additions to the user profile image, which he used to upload a webshell to Pornhub's servers.
The exploit came a week after ImageTragick's vulnerability was announced, but Revolver said he did not use this exploit.
Tο Pornhub απάντησε στο Twitter 15 ώρες αργότερα, αναφέροντας ότι μετά από έρευνες, "δεν φαίνεται να αποκτήθηκε πρόσβαση σε κάποιο διακομιστή παραγωγής."
Pornhub has between 30 and 60 millions daily visitors and the service will be a valuable target for any hacker.
Revolver only asked for $1.000 for selling the exploit, while four days ago, Pornhub launched a program bug bounty, which pays exploits like Revolver's well over $1.000. But the hacker wrote that he no longer participates in bug bounty programs.
https://twitter.com/1x0123/status/731627800814321664
Revolver is already famous when it discovered a vulnerability that allowed SQL injection into one of the servers of Mossack Fonseca, the company from which the Panama Papers.