It turns out that story was just a hoax.
As reported by CSOOnline, the hacker, who goes by 1×0123 on Twitter, tweeted an image showing that he had gotten access.
https://twitter.com/1×0123/status/718760771887489024
Turns out 1×0123’s claims were nothing more than hot air to scam bad guys. The hacker allegedly sold PornHub access to three people. Two people were sold shell access while one was sold injection script.
PornHub reached out to 1×0123 via XMPP, an instant messaging client, to try and resolve this issue. 1×0123 allegedly offered to help fix the vulnerability and give additional details for a fee of $5,000. It’s unknown if PornHub agreed to those terms and paid.
Here’s hoping PornHub didn’t end up paying, because after doing some digging, the site’s engineers started to see the holes in 1×0123’s claims. At first the company believed a test server to be compromised, then a non-production server, but neither were accessed. 1×0123 had provided the site with a copy of the shell he used to dump into the server. PornHub noticed that there was no way the file could have been uploaded due to file size restrictions with the avatars. Not only that, 1×0123’s file contained PHP code, but PornHub’s servers are not designed to execute PHP.
“Even if the server would accept this fake image file we don’t allow code to be executed as an image extension. He provided conflicting information and left the chat shortly after,” a PornHub spokesperson said.
PornHub released an official statement:
“The PornHub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no PornHub systems were breached during those recent events. The safety and security of our users is PornHub top priority. We would like to remind everyone that PornHub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for bounty as high as $25,000.”
Well, that was a close one. Everyone can now sleep soundly knowing that the internet’s porn viewing habits are still a closely kept secret.
