Exploit Found: Bypassing paid downloads on PornHub.com

Exploit Found: Bypassing paid downloads on PornHub.com

Proof of Concept here: https://pornhubdownloadexploit.s3.amazonaws.com/pornhub_insecure_storage.mp4

Initial Disclosure:

For your recently added pay2Download feature (identified as a Inspectable Element in Firefox), specific videos where the author/film actor, may require a fee of $6.00 or so, the payment system can easily be bypassed by simply opening the Firefox webconsole, going into the Network tab, replaying the streamed video, and then directly looking for the Pornhub Content Delivery Network URI to the media object.
Impact

This vulnerability completely negates the purpose of the pay2Download feature of Adult Film Actors merchandising their entertainment on pornhub.com

You should replace the pay2Download feature with a challenge page, much like the High-Definition Downloads, because I cannot see the request with a simple web browser if I was confronted with a challenge page confronting me before making a GET request to the actual content.

This attack is so easy, that anyone using Firefox Web Developer Tools or Chrome DevTools installed, should be able to freely steal porn while posing as simple GET requests. In other words, because of this, there is no ability to measure the impact of how much Adult Entertainment meant For-Charge has already been stolen.

Technical Overview:

There are no penetration testing tools required for this “exploit”. All you need is either a Firefox browser with the default “Web Developer” options installed, or Chrome with the DevTools extension enabled.

To reproduce these steps against Proof-of-Concept paid content Stealable Paid-Only Porn Video

  1. Open the link in Firefox
  2. Click on the hamburger icon on the top right and click the drop-down menu Web Developer
  3. Then click on Network
  4. Refresh the page with Ctrl + R
  5. You MUST play the video from the video player on pornhub.com to see the media tag pointing to the video
  6. While it is playing a new GET request is produced, double click that request, you will be led to a direct link to the protected web content
  7. Now right click on that standalone media and Save Video As.

Screenshot from 2019-08-26 09-23-41.png

Watch the Aftermath video at the bottom of this article for a full walkthrough.

The request produced is

curl 'https://dv.phncdn.com/videos/201904/20/219282541/720P_1500K_219282541.mp4?ttl=1566840526&ri=1433600&rs=1968&hash=c70929912cf61e309f00a3423a39b965' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5' -H 'Accept-Language: en-US,en;q=0.5' -H 'Range: bytes=102531072-' -H 'Connection: keep-alive' -H 'Referer: https://www.pornhub.com/view_video.php?viewkey=ph5cbae2cf663d7' -H 'Cache-Control: max-age=0'

And there are several telltale forensic indicators of how PornHub’s Content-Delivery Network works.

Note the initial line pointing to the video.

https://dv.phncdn.com/videos/201904/20/219282541/720P_1500K_219282541.mp4?ttl=1566840526&ri=1433600&rs=1968&hash=c70929912cf61e309f00a3423a39b965‘ -H ‘User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0‘ -H ‘Accept: video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Range: bytes=102531072-‘ -H ‘Connection: keep-alive’ -H ‘Referer: https://www.pornhub.com/view_video.php?viewkey=ph5cbae2cf663d7‘ -H ‘Cache-Control: max-age=0’

  1. This implies that the video is submitted on April 20th, 2019.
  2. The video has a unique identifier of 21982541.
  3. A hash is submitted identifying the user
  4. A User-Agent Header is submitted as well to identify you as the attacker, but this can easily be bypassed to conceal your activity https://support.mozilla.org/en-US/kb/how-reset-default-user-agent-firefox
  5. The Referer Header shows the initial official link of the video where you can only view and not download the video.

Those concerned about being detected and banned can simply hide behind a VPN like NordVPN and change their User-Agent using the link above. A example is to make yourself appear like a Chinese QQ browser running on a bootlegged iphone. Then because it’s a GET request, which is generated whenever anyone intentionally views, downloads, or clicks on the ordinary embedded video player’s Play button, the attack is completely untraceable.

Aftermath:

Due to disqualification from the PornHub.com HackerOne program on a simple technicality, which is “Allow Downloads”, I did not receive consideration for validation. However, as you can see, this allows straight-up theft of PAID adult content. I am forced to disclose this vulnerability to the public.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s