Infosec bloke claims: Pornhub owner shafted me after I exposed gaping holes in its cartoon smut platform
Mindgeek left him totally unsatisfied, he says
An irate infosec researcher has accused Pornhub owners Mindgeek of out-of-scoping what he described as "critical" vulns in a cartoon pornography-themed mobile games site.
John Sawyer, a mobile app security specialist, had a poke around some of the APKs (Android application package) listed on Nutaku, a highly NSFW Mindgeek site dedicated to free browser games featuring lots of – well, there's no other way to put this – bonking Japanese-style cartoon characters.
In a Reddit AMA (ask me anything), a Nutaku functionary described the site as "a distribution platform much like GooglePlay, Steam, the AppStore" for adult-themed apps, though it was the APK for Nutaku itself that Sawyer was examining.
Sawyer was not impressed with what he found, telling The Register that he uncovered a slack handful of remote code execution (RCE) vulns, weak password hashing, sending login credentials over plain HTTP (no S), credentials ending up in logfiles and more.
He reported these to Nutaku, which directed him to the Pornhub bug bounty scheme. Even so, Sawyer said, Mindgeek didn't take them seriously – to the point where some of the bugs were declared out of scope of its bounty scheme after submission and so not eligible for a payout.
"Technically, they're right," he conceded. At the time of writing the Pornhub HackerOne entry states: "The scope of this program is limited to security vulnerabilities found on the Pornhub and Pornhub Premium websites as well as in the Pornhub Android application. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward." It does add: "High impact vulnerabilities outside of this scope might be considered on a case by case basis."
Sawyer told us that RCEs ought to be patched, whether or not they're declared as out of scope. He also added that he had made it clear from the outset that he wasn't chasing the bug bounty cash, and had asked for that to be sent to a charity rather than dropped into his pocket.
"You don't need full control of the network or device to grab credentials, you just need to be on the same network," he said.
The researcher's concern was not isolated. Others have mentioned on Twitter that they have had dissatisfying experiences with Mindgeek's bug bounty scheme.
Yep sounds about right. They didn't listen to any of the bugs I submitted a year or two ago. Haven't touched h1 since.— Ben Actis (@Ben_RA) May 22, 2019
Mindgeek, owners of Nutaku and Pornhub, as well as the future operators of a large chunk of Britain's upcoming porn ID card scheme, told El Reg it "takes the security of its users very seriously.
"We review each submission to our bug bounty programs manually and reward them according to their severity. In this case, the security researcher submitted reports that we consider out-of-scope as per the rules published publicly on the program's pages," adding that even if it had misidentified some of the submitted reports, "the outcome would have been the same nonetheless". ®
Mindgeek's spokesman added: "None of the reports regarding the Android APK for Nutaku demonstrated a means to remotely capture login credentials without having full control of the user's device and or its network connection." ®