Beberapa hari yang lalu Pornhub bekerjasama dengan HackerOne mengadakan Bug Bounty bagi siapa saja yang berhasil menemukan celah di situs mereka, dengan reward $250000. ( Pornhub Adakan Bug Bounty Program Dengan Reward $25000 ). Namun alih alih mengikuti program bug bounty yang diadakan Pornhub dan melaporkan celahnya secara legal, akun twitter @1x0123 mengklaim berhasil meretas server Pornhub dan akan menjual akses server tersebut hanya $1000.
Seperti yang terlihat di gambar tersebut, hacker berhasil melakukan command injection di pornhub.com.
Hacker tersebut juga menerangkan bagaimana dia bisa mendapatkan akses ke server pornhub. Dia mengatakan terdapat celah di script profil pengguna, yang mana itu memungkinkan dia mengupload backdoor dari fitur upload gambar, kemudian melakukan command injection.
Seorang user di Reddit, Katie_Pornhub yang kemungkinan merupakan salahsatu staff/admin di Pornhub membenarkan jika server mereka diretas. Lebih tepatnya server lama mereka. Server yang sudah tidak digunakan lagi sejak 5tahun lalu. Sementara server mereka yang berjalan sekarang baik baik saja.Yeah, we've been hacked lolPihak Pornhub sendiri mengklarifikasi bahwa tidak ada bug/celah seperti yang diperlihatkan oleh @1x0123 . Maksudnya celah dimana backdoor bisa diupload melalui bug user profile. Dan mereka mengatakan bahwa semua screenshot yang diupload @1x0123 kemungkinan rekayasa.
Not sure what else I can say since I don't know much. I'm sure it's not how the devs wanted to be spending their Sunday.
I'll update when I know more.
edit: First response from devs is that it's shell access to a really old server that's no longer active (5+ yrs) because that screenshot is not close to the actual directory structure. (And seeing that Pornhub is still live, the hacker didn't just change everything around lol)
edit: 2nd response is in this screenshot https://twitter.com/1x0123/status/731622179922706432 it shows Kernel version 3.15, but we have 3.10 running on production. They are still trying to figure out what server this guy actually gained access to. They think it's a test server. I feel like if I tweeted and asked him, it would be quicker.
Final update (official):
The Pornhub team investigated the claim from the hacker named 1x0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events.
The safety and security of our users is Pornhub top priority. We would like to remind everyone that Pornhub has a public bug bounty program which can be used to responsibility report any legitimate vulnerabilities in exchange for bounty as high as 25,000$.
Hmm.. semakin menarik. Antara user @1x0123 yang mencari sensasi atau pihak Pornhub yang menutup nutupi kasus peretasan server mereka sehingga terlihat baik baik saja. Entahlah. Kita tunggu saja perkembangan selanjutnya.
Sekian berita kali ini, share juga ke teman teman kalian biar mereka tau.
0 komentar