John Sawyer, a mobile app security specialist, had a poke around some of the APKs (Android application package) listed on Nutaku, a highly NSFW Mindgeek site dedicated to free browser games featuring lots of – well, there's no other way to put this – bonking Japanese-style cartoon characters.
In a Reddit AMA (ask me anything), a Nutaku functionary described the site as "a distribution platform much like GooglePlay, Steam, the AppStore" for adult-themed apps, though it was the APK for Nutaku itself that Sawyer was examining.
Sawyer was not impressed with what he found, telling The Register that he uncovered a slack handful of remote code execution (RCE) vulns, weak password hashing, sending login credentials over plain HTTP (no S), credentials ending up in logfiles and more.
He reported these to Nutaku, which directed him to the Pornhub bug bounty scheme. Even so, Sawyer said, Mindgeek didn't take them seriously – to the point where some of the bugs were declared out of scope of its bounty scheme after submission and so not eligible for a payout.
"Technically, they're right," he conceded. At the time of writing the Pornhub HackerOne entry states: "The scope of this program is limited to security vulnerabilities found on the Pornhub and Pornhub Premium websites as well as in the Pornhub Android application. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward." It does add: "High impact vulnerabilities outside of this scope might be considered on a case by case basis."
Sawyer told us that RCEs ought to be patched, whether or not they're declared as out of scope. ..
Support the originator by clicking the read the rest link below.
