Editor’s Note: This article was first published on June 29, 2016.
Ciaran McNally, 27, is a freelance security consultant in Ireland who is the second-highest earner in Pornhub’s Bug Bounty Program, a program where the porn giant pays guys to hack it in order to discover its vulnerabilities before someone who isn’t Pornhub does.
In the cybersecurity world, I do something called “penetration testing.” This led to a ton of childish jokes when I told my friends I was working on Pornhub: Penetration testing! They also joke that they now understand why I have a sore wrist all the time. (I actually do have carpal tunnel syndrome… for real.) Another favorite joke of theirs: That I prefer the back end.
I hacked Pornhub for a few hours in the evening after my day job as a consultant, where I do the same sort of thing for various other companies. I’ll sometimes work through the weekend or pull an all-nighter, too — it can be difficult to stop once you get unauthorized access to stuff that’s supposed to be private or secret.
Obviously, I knew about Pornhub before I started working on it. But I don’t browse that much porn. It’s not my cup of tea; a lot of it is quite abusive. I’d be lying, though, if I said it wasn’t distracting. You’re trying to do your job and break into a website and there’s, like, ass fisting! It’s definitely a different experience from bug bounties I’ve done in the past.
My first hacks were to my PlayStation when I was about 15. I found a way to use my piece-of-shit PC to modify the memory of games like Metal Gear Solid or Resident Evil to get things like unlimited lives or unlimited ammo. Back then, however, I had no idea there was a community of hackers out there who did these types of things, too. I wasn’t allowed to use the internet as a kid since my family had dial-up and it ran up the phone bill.
So the only thing I knew about hackers was what I saw in movies like Enemy of the State. More than anything else, that movie got me thinking about computers — I thought Gene Hackman’s character, a secretive former government operative turned vigilante, was cool. It also made me wonder about how you defend yourself against computer attacks.
I started doing bug bounties around three years ago. I was a college student with very little money. It was a nice way to help pay rent. I made $400 in a night from the first bounty program I joined. At the time, I was working in a bar; I would only make around $180 for the whole weekend. So to earn $400 for a couple of hours of work was great.
Eventually, I built up a reputation for being pretty good at finding bugs. Over the years, I’ve submitted bugs to Google, Microsoft and Facebook and done bug bounties for Adobe, Yahoo!, Tesla and other companies I can’t name because of nondisclosure agreements. HackerOne and Bugcrowd are companies that administer bug bounties and their payouts on behalf of websites. They have algorithms that select candidates for private bounty programs based on past performance or metrics — essentially, you earn points based on the quality of your reports and submissions.
The Pornhub program was attractive because it was worth $25,000 in rewards. I got invited to it 11 months before it went public, and I figured I could earn decent money if I did well. In total, I received $16,000 in rewards for a week or two of work, which is basically the amount of time it took me to get full access to some of the site’s servers. That’s the ultimate goal: Figuring out how to gain control of the site. It’s where the bigger money is at, too — i.e., the more severe the issue you find, the more the company pays.
When you try to “break in” to a website like Pornhub, you’re essentially trying to find a way of getting around the login systems. A lot of times this could be done by brute-forcing the directory for common filenames — e.g., trying lots of different filenames like “changepassword.php” or “.html” through trial and error. You also can sometimes find endpoints — a URL where a web service can be accessed by your web browser — that you weren’t meant to. This could, for example, allow you to read parts of the admin panel without authentication. The goal from there is to remotely execute commands on the server. At that point, you can basically read all the source code, access all the information on the databases and change the content on the website.
If a particularly nasty hacker got into Pornhub, there’s a few things they could do. For starters, they could establish a botnet (a private network of computers controlled by malicious software without the owners’ knowledge) by inviting people to click on something bad (that they, of course, don’t realize is bad). People who mistakenly run the malicious software are now part of the botnet. Or the nasty hacker could find someone important who is a Pornhub customer and blackmail them for going to Pornhub — a politician, for example — as well as get their email address and password, since a lot of people use the same password for different sites. Or the nasty hacker could set up a fake payment page and steal all the credit card information people put in.
Basically, once someone evil has access to the servers, they can do anything they want. It’s all down to how creative they are.
Whether it’s for good or bad, I view hacking as a form of creativity or innovation. And I don’t always associate it with technology or computers. Many of the best hackers I know simply love the challenge of building things. Just like in engineering, chemistry or even knitting.
That said, I’m not that different than my friends who aren’t into computers. It’s not like I’m some guy who lives in a basement all alone. I live in an apartment with my girlfriend of five years. Nor am I like that image of a rogue hacker who distances himself from society — like the Gene Hackman character I admired, or Christian Slater in Mr. Robot. In real life most of us hackers aren’t chased by NSA agents or entangled in international conspiracies; we’re just regular guys with a hobby that’s seen by others as an employable skill.
— As told to Adam Elder