Cyber Incident Victim: Pornhub
Date:
May 2016
Location:
Canada
Summary
A cybersecurity researcher using the alias 1x0123 claimed to have compromised a subdomain of the adult entertainment platform Pornhub, offering shell access and command injection capabilities for $1,000 by exploiting a user profile image-handling vulnerability. The individual reportedly sold access to three parties before demanding $5,000 from the company to disclose technical details and assist with patching. The platform initially suspected a non-production server breach but later concluded the incident was a hoax, asserting that the described attack methods—including uploading PHP code via image files—were impossible due to server restrictions on file sizes and execution permissions. The company maintained no systems were breached and referenced its existing bug bounty program for legitimate vulnerability disclosures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 14, 2016, an individual operating under the Twitter handle 1x0123 offered command injection capabilities and shell access to a Pornhub subdomain for $1,000. The seller provided two images purportedly demonstrating server access, claiming exploitation of a vulnerability in Pornhub's user profile script responsible for image handling. This method allegedly enabled shell uploads, granting full control over the server environment upon accessing a specific URL. The attacker clarified this vulnerability was unrelated to the contemporaneous ImageMagick flaw. Historical context revealed 1x0123 had previously sold access to the LA Times website via a compromised WordPress installation in April 2016 and disclosed an SQL injection flaw in Mossack Fonseca servers during the Panama Papers incident. Pornhub, which hosted 60 million daily visitors, had launched a public bug bounty program on May 9 offering rewards up to $25,000. The seller dismissed vulnerability reporting, stating "I don't report vulnerabilities anymore, go underground or go home," referencing prior recognition from Edward Snowden for responsibly disclosing a Piwik flaw to the Freedom of the Press Foundation in April 2016.
Pornhub initially suspected compromise of a non-production server but later declared the incident a hoax after investigation. By May 15, 1x0123 (identifying as Revolver in XMPP communications) confirmed selling access to three parties: two obtaining shell access and one acquiring a command injection script. When Pornhub contacted Revolver, he demanded $5,000 to disclose vulnerability details and assist with patching. The company's forensic analysis concluded the attack methodology was impossible, citing server restrictions blocking oversized avatar uploads and lack of PHP execution capabilities for image files. Engineers noted Revolver's described technique—uploading PHP-laden image files—would fail since servers weren't configured to execute PHP from images. Pornhub's spokesperson stated Revolver provided conflicting technical information and abruptly discontinued communications. The final statement emphasized no systems were breached, attributing screenshots to misleading representations that appeared credible without infrastructure knowledge. Pornhub reaffirmed its bug bounty program as the appropriate channel for vulnerability disclosures while maintaining user security as its top priority.