White hat hackers access full database of Pornhub members

Two separate PHP zero-days net researchers $20,000

Hackers have discovered several critical vulnerabilities in Pormhub's security, which could have left users' sensitive information open to discovery.

The flaw was found by three security researchers - Google intern Ruslan Habalov, along with Dario Weier and @_cutz. It involved two zero-day exploits in PHP, which eventually allowed them to execute remote code.

Advertisement - Article continues below

The trio also had access to Pornhub's full database, which included users' personal information and browsing data, as well as the full source code of all the sites in the Pornhub network.

Three researchers submitted a report as part of the site's bug bounty programme, which netted them a $20,000 (15,200) bounty - just under the program's maximum payout of $25,000.

The Internet Bug Bounty organisation also contributed a reward of $2,000 (1,500) to the researchers.

"Pornhub's bug bounty program and its relatively high rewards on Hackerone caught our attention," Habalov wrote in his blog post detailing the hack. "That's why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities."

"We want to highlight the necessity of such programs," he went on. "As you can see, offering high bug bounties can motivate security researchers to find bugs in underlying software. This positively impacts other sites and unrelated services as well."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

IT Pro approached Pornhub for comment, but had received none at the time of publication, though the flaws in PHP have now been patched.

12/05/2016: Pornhub launches $25,000 bug bounty programme

Pornhub has launched a bug bounty programme, in an attempt to shore up the site's security.

Porn has had an uneasy relationship with cybersecurity - for years, watching online porn was regarded as the quickest way to get yourself infected with something nasty.

Efforts have been made to clear up the perception of the industry, but porn sites are clearly still attractive to cybercriminals, as a rash of malvertising campaigns that hit sites including YouPorn and Pornhub last year clearly demonstrated.

Pornhub, owner of one of the largest and most popular adult video networks on the web, is now trying to tackle this, however.

The adult site has become one of the first in the world to publicly offer a bug bounty programme, which rewards hackers for finding and reporting security flaws, rather than exploiting them.

Advertisement - Article continues below

This marks the first time the company has taken its bounty programme, which is hosted on HackerOne, into the public domain, after operating tit as a private, invite-only beta for the past year, which helped the site resolve more than 20 security flaws.

"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure - in addition to our dedicated developer and security teams - to ensure not only the security of our site but that of our users, which is paramount to us," said Pornhub's vice-president Corey Price.

Virtuous 'white hat' hackers that report a bug can earn anything from $50 to $25,000 per exploit, but there are some serious restrictions on the programme.

For starters, there is a grand total of eleven vulnerability types that Pornhub will not accept, including cross site request forgery, rate limiting and click-jacking.

This is in addition to exploit categories like social engineering and physical intrusion, which are commonly banned for bounty hunters.

On top of that, any attempted penetration must avoid causing any disruption to the site's regular delivery of porn, lest the company risk angering its user-base.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020