LewdTubers Security Investigation: Critical Vulnerabilities and the Platform's Closure

Updates

It appears there was a lack of communication within the team, as both one of the admins and one of the owners were unaware of my initial findings. This could have led to more serious issues in the future if left unaddressed.

I would like to thank all the content creators who reached out to me before and after the document was released. I understand that many of you were frustrated that your voices weren't heard by the LewdTubers team. Although disappointing, it seems you have now received your answer.

Lastly, I want to emphasize that harassing the creators or the admin of LewdTubers is absolutely unacceptable and goes against what I was trying to achieve in the first place. My goal was to ensure a safe environment for content creators and users of LewdTubers. It is clear to me that the owners did have good intentions; however, the execution was poorly managed.

If the owners wish to restart this project in the future, I highly recommend they review this document thoroughly and learn from their mistakes. However, I believe this scenario is unlikely.

Introduction

Hi there, I'm Rina. My work includes contributing to open-source projects like the Cats Blender Plugin Unofficial and Avatar Toolkit.

Although I can't go into much detail about this, beyond coding, I also evaluate the security of websites and online platforms. This involves looking for vulnerabilities in areas like password storage, secure login procedures, privacy policies, and protection against common hacking techniques – and more.

Recently, while testing a group of 20 websites, LewdTubers caught my attention (I'll let you use your imagination on why). While it wasn't initially on my list, certain factors led me to take a closer look.

My initial concern arose from the lack of a visible privacy policy on the website. This was quickly followed by alarm when I received an email containing my password in plain text after signing up. This prompted me to investigate further, uncovering additional potential security and ethical issues.

Despite reaching out to the creators of LewdTubers with my findings, I received limited response. While they acknowledged the issue of passwords being transmitted in plain text, other concerns remained unaddressed. It's worth noting that all 19 other websites I tested during this period have implemented the changes I recommended to improve their security and user privacy.

This lack of engagement from LewdTubers ultimately led me to compile this document, detailing my findings and raising critical questions about LewdTubers' commitment to user safety and responsible platform management. As I found more issues and spoke to content creators who had concerns, this led me to accelerate the release of this document. While I initially planned to wait at least another week before sharing my findings, I felt it was crucial to bring these concerns to light sooner rather than later.

It's important to state that this document is not intended to be a condemnation of the creators or anyone working behind the scenes at LewdTubers. My goal is to highlight some major issues that need to be addressed to ensure the platform is safe, secure, and operates within legal boundaries. I believe in the potential of LewdTubers and hope this report serves as a constructive step towards making it an even better platform for everyone.

Please remember: This document is meant to spark positive change. Let's avoid harassment or bullying of anyone involved with LewdTubers. Our collective goal should be to work together to create a safe, enjoyable, and legally sound online experience.

This document contains issues I have found with the LewdTubers website which includes security issues, privacy issues, legal issues, and more.

Security Issues

On August 6, 2024, I dispatched a formal email to LewdTubers, serving as an official notice of public disclosure regarding the security concerns. This communication followed an earlier, more informal email sent on August 5, 2024, which unfortunately did not elicit a response.

Official Notice of Public Disclosure

Below is the formal communication I sent to the LewdTubers team:

Communication Challenges

The use of the LewdTubers contact form for these important messages proved problematic. While the form did show an on-screen confirmation after submission, it didn't follow the standard practice of sending an email receipt. This lack of proper confirmation left me uncertain whether my messages were actually received, highlighting a potential flaw in their communication system and raising concerns about their overall approach to user interaction.

Prior to sending the formal email, I attempted to contact staff members listed as admins on the Discord server. One admin directed me to use the contact form, which I had already done on August 5, 2024. This interaction demonstrates the multiple channels I explored to communicate the security concerns and how it seems no one really cared.

I also reached out to another individual, believed to be a co-owner or founder of the platform, but received no response whatsoever. This lack of communication from a key figure further underscores the difficulties in establishing a dialogue about the security concerns.

The Response

Shortly after sending my formal email, I received a reply, which was unexpectedly quick. However, the response was disappointing in its scope. The majority of the concerns I raised were not adequately addressed or acknowledged in their reply.

I replied back within 20 minutes of receiving their email. Since then, I have received nothing.

LewdTubers and Patreon: A Precarious Income Model

The reliance on Patreon as LewdTubers' primary income stream presents a precarious situation fraught with ethical and logistical challenges. Patreon's guidelines explicitly prohibit the direct hosting or linking to sexually explicit content, even if it resides behind a paywall. This creates a fundamental conflict for LewdTubers, as its core offering revolves around adult-oriented material.

While Patreon allows creators in the 18+ category, the key stipulation is that the content must be hosted exclusively on their platform. LewdTubers' current model of using Patreon to fund an external website hosting explicit videos directly violates this principle. This practice could result in account suspension or termination, leaving LewdTubers without a crucial source of income and its users without access to the content they paid for.

Furthermore, relying on Patreon for indirect monetization raises ethical concerns. It essentially leverages Patreon's platform and user base to fund activities that directly contradict their terms of service.

Finding a more sustainable and ethically sound income stream is paramount for LewdTubers' long-term viability. This may involve exploring alternative platforms specifically designed for adult content, implementing a direct subscription model on their own website, or seeking partnerships with companies that cater to the adult entertainment industry.

Privacy Concerns

The absence of a clearly stated privacy policy on LewdTubers is a glaring red flag and a serious breach of trust. In today's digital landscape, where personal data is constantly being collected and processed, users have the right to know how their information is being handled. A comprehensive privacy policy serves as a crucial transparency tool, outlining what data is collected, how it is used, stored, and protected.

Given that LewdTubers requires users to provide sensitive personal information such as real names, email addresses, and even optional details like physical addresses, the need for a robust privacy policy becomes even more critical. Without clear guidelines on data handling practices, users are left in the dark about how their information might be used, shared, or potentially compromised.

Furthermore, LewdTubers' failure to comply with regulations like GDPR (General Data Protection Regulation) exposes them to significant legal risks. GDPR mandates that websites processing personal data of EU residents must adhere to strict guidelines regarding consent, data minimization, and user rights. By neglecting these requirements, LewdTubers not only jeopardizes user privacy but also faces potential fines and reputational damage.

Developing and publishing a comprehensive privacy policy is not merely a box-ticking exercise; it's a fundamental ethical obligation and a legal necessity. It demonstrates respect for user privacy, builds trust, and ensures compliance with relevant data protection laws.

Age Verification is A MUST AND IS THE LAW

LewdTubers' failure to address age verification and legal compliance raises serious concerns, particularly given its adult-oriented nature and US-based servers. The platform's lack of a readily available 18 U.S.C. §2257 Record Keeping Requirements Compliance Statement is a significant red flag. This federal law mandates that websites hosting sexually explicit content maintain records verifying the age of performers, demonstrating a commitment to preventing child exploitation.

Furthermore, LewdTubers' disregard for evolving state-level regulations regarding adult content access further exacerbates the issue. Several US states now require age verification for both creators and viewers of adult material, with some implementing even stricter measures. By neglecting these legal requirements, LewdTubers exposes itself to potential legal action and reputational damage.

The platform's lack of robust age verification mechanisms also creates a breeding ground for potential abuse and exploitation. Without proper safeguards in place, minors could potentially access explicit content, violating child protection laws and putting vulnerable individuals at risk.

It's noteworthy that many content creators view age verification as a non-negotiable requirement for platforms hosting adult material. They recognize the ethical imperative of protecting minors and ensuring a safe environment for all users. LewdTubers' failure to implement such measures not only undermines user trust but also alienates potential creators who prioritize responsible practices.

Discontent from Content Creators

Beyond the legal and ethical concerns, LewdTubers faces a growing discontent among its content creator community. Many creators feel unheard and undervalued, expressing frustration that their suggestions and ideas have been consistently brushed aside. This lack of communication and responsiveness breeds resentment and undermines the platform's potential for growth.

It's crucial to remember that content creators are the lifeblood of any platform like LewdTubers. They are the ones who generate the content that attracts users, builds a community, and ultimately determines the site's success or failure. While the founders may be content creators themselves, their personal experiences shouldn't overshadow the diverse perspectives and needs of the broader creator community.

LewdTubers must prioritize open dialogue and actively solicit feedback from not only its creators but outside creators who may be interested in joining. Establishing clear channels for communication, conducting regular surveys, and demonstrating a willingness to implement constructive suggestions are essential steps towards building trust and fostering a collaborative environment. By valuing the contributions of its creators and addressing their concerns, LewdTubers can cultivate a thriving ecosystem that benefits everyone involved.

Requirements Are Too High: You're Not Going to Grow Like This

LewdTubers' current content creator requirements are undeniably steep. Demanding a year of consistent content creation alongside substantial viewership or follower counts on established platforms like Pornhub, xVideos, Twitter, Fansly, or OnlyFans effectively shuts out emerging creators who may be producing quality content but haven't yet built a large audience.

The alternative solution – paying for a high-tier Patreon subscription – further complicates matters. While LewdTubers cites bandwidth and storage costs as justification, this effectively monetizes access for creators, potentially deterring those who are financially constrained or unwilling to invest upfront without guaranteed returns. This model risks creating a pay-to-play system that favors established creators with deeper pockets while hindering the growth of new talent.

A platform like LewdTubers should be a launchpad for discovering new content creators, not just showcasing the same familiar faces. Its current high barriers to entry and pay-to-play model risk stifling innovation and limiting user exposure to fresh perspectives.

Instead of empowering a diverse range of creators, these policies inadvertently reinforce the status quo, hindering the evolution of the adult content scene. The platform should be a catalyst for discovery, not a gatekeeper that limits access and opportunity. Lowering entry barriers and fostering a more inclusive environment would allow LewdTubers to fulfill what the website was meant to be.

They Were Not Prepared

LewdTubers' launch raises serious concerns about a lack of due diligence and preparedness. The platform appears to have been launched without adequate research into the complex legal and technical landscape surrounding adult content hosting.

Crucially, there seems to be no evidence of compliance with essential regulations like the 18 U.S.C. §2257 Record Keeping Requirements, which mandates stringent record-keeping practices for platforms hosting adult content. Furthermore, LewdTubers' apparent disregard for data protection laws like the EU's GDPR suggests a concerning lack of awareness regarding user privacy and data security.

Reports of basic security vulnerabilities, such as sending passwords in plain text, further underscore the platform's inadequate technical infrastructure. These oversights expose users to significant risks and undermine trust in the platform's ability to safeguard sensitive information.

The absence of a clear budget and long-term financial plan also casts doubt on LewdTubers' sustainability. Running a platform like this incurs substantial costs, including bandwidth, storage, legal fees, and ongoing maintenance. Without adequate funding, LewdTubers is unlikely to weather potential legal challenges or maintain the necessary infrastructure for reliable operation.

These shortcomings paint a troubling picture of a platform launched without sufficient planning, expertise, or resources. LewdTubers' current trajectory raises serious questions about its ability to operate responsibly and sustainably within the complex and demanding adult content industry.

Technical Implementation Concerns

The website appears to be built on WordPress, which is not an ideal choice for a video-centric platform. WordPress is primarily designed for blogging and general content management, rather than video hosting. Furthermore, if improperly configured by inexperienced users, WordPress can pose significant security risks. The platform's reliance on numerous plugins and themes, some of which may be outdated or no longer maintained, can introduce vulnerabilities.

Of particular concern was the site's practice of sending user-set passwords (and the current password reset sending out new permanent passwords) via email. This is not standard WordPress behavior and suggests either custom modifications or the use of a poorly configured plugin. More alarmingly, this practice implies that the site may be storing passwords in plain text, which is a severe security vulnerability. Such practices not only compromise user security but also indicate a fundamental misunderstanding of basic security principles by the site's creators.

While I have not conducted a comprehensive analysis of the specific plugins used by the site, as it falls outside the scope of this assessment, the seemingly inexperienced nature of the service's creators suggests that there may be additional issues not covered in this document.

Final Thoughts

Until LewdTubers adequately addresses these issues, I strongly advise users to refrain from using this service. Data protection and security should be the paramount concern for any online platform, and it appears that the creators of LewdTubers have not prioritized these critical aspects.

Moreover, as other users have pointed out, this service is intended for an 18+ audience. Consequently, age verification is not only necessary but legally required in several U.S. states, adding another layer of complexity to the situation. And the fact some content creators feel ignored doesn't help this situation.

In conclusion, until LewdTubers demonstrates a commitment to addressing these security and legal concerns, users should exercise extreme caution and seriously consider alternative platforms that prioritize data protection and comply with relevant regulations. The potential for plain text password storage represents a critical security risk that could have far-reaching consequences for users.

This investigation highlighted critical security vulnerabilities that should never have existed in a production environment. While the platform has now closed, this case serves as an important reminder of the responsibilities that come with operating online services, particularly those handling user data.

To any developers or platform operators reading this: user security is not optional. It's a fundamental requirement. Proper password hashing, secure data handling, comprehensive privacy policies, and compliance with data protection regulations like GDPR are not just best practices, they're essential obligations.

I hope this document serves as a learning opportunity for anyone building online platforms. The stakes are high when you're handling user data, and cutting corners on security can have serious consequences for your users and your platform's viability.

If you want further information on this or want to talk about this document, please email me at hello@yusarina.xyz.

Return to Archive