Attacker Compromises Pornhub, Sells Shell Access for $1,000, Says Columnist (csoonline.com) 57
An anonymous reader writes: Four days after launching a bug bounty program, Pornhub is said to be compromised. The person responsible used a vulnerability in the user profile script that handles images (not ImageMagick) and is selling shell access on one of their servers for $1,000 USD. This is the second major website the hacker has shelled. Prior to Pornhub, they compromised the LA Times website.
CSO's security columnist notes that Pornhub "announced their bounty program on May 9, but it's a private, invite-only program managed by HackerOne. As such, it isn't clear if there would've been a way to report this flaw and collect a reward to begin with." In addition, on Twitter the attacker reportedly posted "I don't report vulnerabilities anymore, go underground or go home."
CSO's security columnist notes that Pornhub "announced their bounty program on May 9, but it's a private, invite-only program managed by HackerOne. As such, it isn't clear if there would've been a way to report this flaw and collect a reward to begin with." In addition, on Twitter the attacker reportedly posted "I don't report vulnerabilities anymore, go underground or go home."
Re: (Score:2)
I'm really only concerned about mass murder by another nation perpetrated on America, and I'm really only worried about contemporary attacks, not historical. so, I don't think your pan-global pan-historical averages hold up.
Re: (Score:1)
Are you the new PK(something) guy?
Good. Call them on their publicity stunts. (Score:2, Insightful)
Bug bounties are bogus. Don't make a lottery out of security.
Distractions (Score:1, Offtopic)
"I don't report vulnerabilities anymore; go underground or go home."
Perfect opportunity for a semicolon, imo. Such a waste of an opportunity!
/grin
"I don't report vulnerabilities anymore" (Score:1, Insightful)
"I don't report vulnerabilities anymore, go underground or go home."
Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.
Re: (Score:1)
All those people that found critical vulnerabilities, reported them in a responsible way and got arrested for doing so are agreeing with him.
Re: (Score:2)
haven't you read the article? you can watch pornhub videos through libaa or in 256 colours with libcaca!!!
Re:"I don't report vulnerabilities anymore" (Score:4, Insightful)
Re: (Score:2, Insightful)
"I don't report vulnerabilities anymore, go underground or go home."
Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.
As much as I get your feelings on this, the number of people who've been sued after reporting vulnerabilities makes me understand it.
Re: (Score:1)
Here's hoping I see a future /. story titled "PornHub Hacker arraigned today". I don't give a rat's ass that it's Pornhub, the sentiment that this guy has deserves the consequences in anti-hacking laws.
Maybe you haven't noticed, but those anti-"computer hacking" laws are entirely overbroad and completely vague. That means you could be made to feel the full force of those laws for jaywalking* while holding... anything with a "computer" in it. Like your smartphone, but hey, that microcontroller-equipped sudoku game also qualifies. All you need to make it stick is an experienced smooth-talker, which is apparently the point of lawyer school.
So while I understand your bloodthirsty sentiment, shoddy laws make e
Re: (Score:1)
People Actually Subscribe? (Score:3)
I watch porn just like every other guy and not a small number of women.
But who actually pays to subscribe to something that is obviously available for free?
If they want me to pay money they'd better send one of those Nubile girls to my house.
Re: (Score:2)
Re: (Score:2, Funny)
...a Netflix for porn
Agreed, there's money to be made here. I mean someone's already made "the Facebook for Sex", which must be doing well as I see ads for it everywhere, AND apparently there's plenty of singles in my area!
Re: People Actually Subscribe? (Score:2)
You miss the point. This is less about them stealing your info, as using the Pornhub network (which by the way hosts many other port tube sites) to distribute malware (likely ransom ware as it makes a shit load of money) to all their free visitors.
not invite only. I see the submission form right n (Score:3)
That last sentence is bogus. Their bug-bounty program isn't invitation only. I have the submission form open in another tab right now. The only requirement that differs from any other is that if your first four reports are bogus, they may stop paying attention to you (known as a signal requirement) .
making that up? Not in T&C I read (Score:3)
Do you have a source for that, or are you completely making things up and then believing your own fiction, as so many Slashdotters sem to do? I don't see anything like that in the terms and conditions myself.
No Thanks! (Score:2)
Re:No Thanks! (Score:4, Informative)
lol.. You are not paying for porn, you are paying for a shell account which can allow you to access porn and a lot more. Hell, you can even set up your own website and host your own porn on their servers if your privileges are high enough.
"Back door" access always cost men more (Score:2)
Party Foul (Score:2)
Dude, not fucking cool.
Certain sites get immunity from hacking just because. They are privy to an unspoken rule where they get left alone because messing with them is like shitting in your own bed.
Thats what you did, you just shit in your own bed, and while I realize they have a section for that, its still not cool.
This is about as uncool as when rootshell was hacked. Again, shitting in your own bed.