Adult video sharing website Pornhub has called a sale of shell access a hoax, stating the methods described by Revolver were not possible.
According to CSOonline , an underground researcher going by the name “Revolver” offered command injection abilities and shell access to a subdomain on Pornhub for $1000.
The offer included two images in order to demonstrate access to the Pornhub server, and when asked how the shell was uploaded, 1x0123 said it was a vulnerability in the user profile script that handles images that enabled the shell's upload and once the shell is uploaded, browsing to the proper URL will open it and enable command injection.
“Revolver” confirmed on Sunday that he had sold access to Pornhub to three people, and offered to share details and help patch the vulnerability for $5000. Pornhub launched a public bug bounty program last week.
However, Pornhub issued a statement calling the incident a hoax, stating the methods described by Revolver were not possible. At first, the company thought a test server, or a non-production server was targeted, but the website later determined that nothing at all was compromised after working with Revolver.
The statement said: “The Pornhub team investigated the claim from the hacker named 1x0123. Our investigation proved that while those screenshots might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.
“The safety and security of our users is Pornhub's top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for a bounty as high as $25,000.”
Pornhub did not confirm if they paid for Revolver's assistance.