Any Hackers in the House?
 

Pornhub are offering $25k if you can find an exploit.

https://hackerone.com/pornhub

its called pentesting not hacking

No it's not it's hacking. Pentesting is when you test your pen to see if it still works.

penetration testing

When you fuck a virgin.

Anyway CPA-RUSH. What the fuck do you know about it anyway?

I hack them all day.. Its a free tube site been going to for years..

Nice.... $25 reward min.

intresting!

Looks like it's $50 now :upsidedow

Hacking Beez aint eazy-e

Innaresting ...

Cool according to the endless terms you have to wait 30 days for a response then 90 days for them to fix it, 120 days (4 months) total. THEY decide if your find is worth $50 or more and you have to trust Pornhub if they tell you it's already been reported to them by someone else :thumbsup

Their terms also state they MAY reward qualifying finds. So even if you're the first to find a huge vulnerability that they fix you are not guaranteed any money at all.

Pretty standard terms really.

Nope.

Even Adobe's HackerOne terms don't have anything close to that kind of wording regarding compensation. They definitely don't say you might find an issue, report it, and not gat paid..

State facts.

lol what ?

<script>alert("XSS")</script>

Xss is lame.

Yea. This is pretty standard in the "hack for ethic" contests like this one why its bullshit to even try to compete.You don't know up front for what vuln or level of compromise you get what compensation. The 25k bounty will not go to anyone even if you breach the server. They also removed all the bullshit vuln's that are usually reported like clickjacking, xss, csrf etc etc, and won't pay for any human error or employee targeting :))))

They'll probably argue 25k would go if you download their database, which is probably few terabytes and how likely is something like that to go unnoticed :) :321GFY
If someone was to found the vuln, you'd sell it better on black market then to them for compensation.

really ?

Would be funny if they had a central database that's so old school :1orglaugh

Shitty Yahoo is the ONLY other company in all of HackerOne that is so tacky as to say "Rewards are granted entirely at the discretion of" :1orglaugh:1orglaugh:1orglaugh

Yes......

What platform is not vulnerable to XSS?

:1orglaugh

Who cares? Just because you can make an alert that makes you l33t.

?

.

pfff its mean i agree lol

what ways are even left after reading those terms?

Vuln bounties should have some sort of public signature or hash ledger, so that when someone finds one, the finder can prove the time of submission, without releasing the actual details. That way the company cannot weasel out of it by saying that someone else found it first.

Would probably be even better if the proof was stored on a public blockchain, like Bitcoin, so that the company couldn't manipulate it.

There's a startup idea for you. :thumbsup

I suspect they will get what they ask for, perhaps not the way they wish though.

Best of luck to the game.

Like taking candy from a baby. You can redirect to your own page via a Pornhub post. I do similar on my Tumblrs :1orglaugh:1orglaugh:1orglaugh

Pornhub post offsite redirect example

Wait 8 seconds

Pornhub possibly has a serious Xss gif issue too it seems :helpme

There, where's my money? Oh wait . . .

Brilliant idea!

With their "hackers bounty" publicity blitz the last few days they'll get a lot of people like me interested, until they read the scammy terms, and I'm not hacker.

With my previous posts "helping" Pornhub you never get public, or private, thanks but see they act on it later, with me at least once that I can remember. There's seemingly more tangible known monetary benefits to not disclosing and using to someone's benefit.

I'm sure my last post will receive the same lack of acknowledgement, let alone gratitude from Pornhub, and that's fine :1orglaugh:1orglaugh:1orglaugh

Closest thing I know of is. https://hackerone.com/ and https://www.openbugbounty.org/ At openbounty you can put the details on hold for any site you find a redirect or xss issue with. I put an issue on hold for a month usually. Only a small site paid me. Big sites, never answer.

Another good press release / publicity stunt from the top dawgs in Adult.

The cheque is in the mail :helpme

They said we're not allowed to DDoS or use any kind of bots or scripts and a few other things.. I'm out.

lol

nice one!
no sanitizing on the php call for the title?

Than again lots of sites have 'mistakes' in them.
I can name a few...

Just Google XSS Gif Pornhub ;)

Ask Clifford for details it's his work.

Here's his HackerOne profile: https://hackerone.com/trizaeron

Pornhub hasn't paid Clifford according to his profile and he's hacked it since what, March?

Maybe Pornhub doesn't care about people redirecting from their site or don't want to pay the guy what he's worth?

I just returned from big G was looking for more info.
i can see the kremlin gets lots of traffic from pornhub.. :1orglaugh
Was that you?

but no info on Clifford's hack.

Goto the Pornhub link in my original post, wait 8 seconds, and you're forwarded to Cliffords site.

Pornhub post offsite redirect example

I'm not a hacker

It always amazes me how little people will work for. If I root you and you are worth $100m+, a bounty of $25k isn't going to cut it.

Right? This guy still redirects from PH for months, is a part of HackerOne and not paid still wide open. PH was built on a shaky foundation, house of cards, all the stolen content including mine now they make millions a month off our backs, all my hard work, I get nothing from what was stolen and posted on PH from Kherson Oblast, Ukraine :disgust

Not saying so ;)
I just thought he/you wrote about it, misunderstood you.
(it does seem he got a few hundred bucks from PH, still way to little for a redirect injection! hackerone dot com/pornhub/thanks )

Still funny, specially the ones redirecting to kremlin!

THIS:
:2 cents:

Right, and his redirect still not patched so ...

I hear you.
Most such a site does is remove content, deleting a user, as a max.
(delete content uploaded, prop. never)

And as no one has to identify for an account.
There is no solution for this.
All there is, is the totally screwed up dmca system.

I know from own experience cam4 won't even give any info on paying members even when given solid proof of uploading stolen content! (captured live shows on the same damn site!)
Hell they didn't even ban him! He has been posting for years.
Prob. still does so.
:2 cents:

Like this guy https://hackerone.com/reports/72243
they offered him only $500 for gaining access to production servers (because the domain he found the info on was not part of the official bounty program).
a year later they still paid him $9.5K though


Last month these people got $20K

https://www.evonide.com/how-we-broke...-20000-dollar/

$20K is very little for something like that

Content is king

Knowledge is power

Watching the thieves pay pennies not to be stolen from - priceless

If you read up on the work of the guys that hacked pornhub, their work was amazing. Im pretty sure it took up way more time from way too many people for the 20k they got. I bet their work was less then 8$ an hour if you count it all up.
They even have 2 zerodays in the php garbage collector out of it. They sold very cheap. Always funny :)