Brazilian finds security holes in Pornhub and Redtube

After two months of research, a Brazilian identified as Pedr4uz found vulnerabilities on popular porn sites, such as Pornhub, Redtube, YouPorn and Tube8, all owned by MindGeek. In total, five flaws based on user-side code injection were discovered.

As the researcher explains, attackers just needed to generate a fake link. Thus, when the user clicked, access to all sessions, user accounts, as well as activity records on the sites, such as credit card data used for purchases, would be released.

The Unsplash / Play

“The only thing that was needed is for the user to click on the link […] If I sent an adulterated link to an employee on one of these sites and he clicked, his session would be mine […] These loopholes could also be used to steal employee accounts, with administrator privileges on the website, ”explained Pedr4uz.

As a reward, the bounty bug platform HackerOne paid US $ 1000 (about R $ 5,370 at the current price), referring to the discovery of two bugs on Redtube, one on Pornhub and the other on YouPorn.

Tube8 firewall was enabled

The 1000 logos / Reproduction

You may be asking yourself: if the researcher found five failures, why was he rewarded for only four of them? Although Tube8 also presented the vulnerability identified by Pedr4uz, the website’s firewall was working correctly, preventing the requests of attackers from being met.

“As much as it was possible to control what would be reflected on the user’s page, the firewall blocked my requests”, he explains. With that, HackerOne disregarded the discovery on the site.

In addition to these vulnerabilities, Pedr4uz reported other specific YouPorn errors even more serious than the others, since they allow attacks such as “Cache Poisoning” and “DNS Spoofing”, directed at the company’s server. The error, however, was already known to the company, which is making the necessary corrections.

Leave a Comment