White hat hackers access full database of Pornhub members

Two separate PHP zero-days net researchers $20,000

Hackers have discovered several critical vulnerabilities in Pormhub's security, which could have left users' sensitive information open to discovery.

The flaw was found by three security researchers - Google intern Ruslan Habalov, along with Dario Weier and @_cutz. It involved two zero-day exploits in PHP, which eventually allowed them to execute remote code.

The trio also had access to Pornhub's full database, which included users' personal information and browsing data, as well as the full source code of all the sites in the Pornhub network.

Three researchers submitted a report as part of the site's bug bounty programme, which netted them a $20,000 (15,200) bounty - just under the program's maximum payout of $25,000.

The Internet Bug Bounty organisation also contributed a reward of $2,000 (1,500) to the researchers.

"Pornhub's bug bounty program and its relatively high rewards on Hackerone caught our attention," Habalov wrote in his blog post detailing the hack. "That's why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities."

"We want to highlight the necessity of such programs," he went on. "As you can see, offering high bug bounties can motivate security researchers to find bugs in underlying software. This positively impacts other sites and unrelated services as well."

IT Pro approached Pornhub for comment, but had received none at the time of publication, though the flaws in PHP have now been patched.

12/05/2016: Pornhub launches $25,000 bug bounty programme

Pornhub has launched a bug bounty programme, in an attempt to shore up the site's security.

Porn has had an uneasy relationship with cybersecurity - for years, watching online porn was regarded as the quickest way to get yourself infected with something nasty.

Efforts have been made to clear up the perception of the industry, but porn sites are clearly still attractive to cybercriminals, as a rash of malvertising campaigns that hit sites including YouPorn and Pornhub last year clearly demonstrated.

Pornhub, owner of one of the largest and most popular adult video networks on the web, is now trying to tackle this, however.

The adult site has become one of the first in the world to publicly offer a bug bounty programme, which rewards hackers for finding and reporting security flaws, rather than exploiting them.

This marks the first time the company has taken its bounty programme, which is hosted on HackerOne, into the public domain, after operating tit as a private, invite-only beta for the past year, which helped the site resolve more than 20 security flaws.

"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure - in addition to our dedicated developer and security teams - to ensure not only the security of our site but that of our users, which is paramount to us," said Pornhub's vice-president Corey Price.

Virtuous 'white hat' hackers that report a bug can earn anything from $50 to $25,000 per exploit, but there are some serious restrictions on the programme.

For starters, there is a grand total of eleven vulnerability types that Pornhub will not accept, including cross site request forgery, rate limiting and click-jacking.

This is in addition to exploit categories like social engineering and physical intrusion, which are commonly banned for bounty hunters.

On top of that, any attempted penetration must avoid causing any disruption to the site's regular delivery of porn, lest the company risk angering its user-base.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020
Amazon sacks employee over data breach
Security

Amazon sacks employee over data breach

27 Oct 2020
Zoom starts rolling out end-to-end encryption for all users
Security

Zoom starts rolling out end-to-end encryption for all users

27 Oct 2020
Insider data breaches set to increase due to remote work shift
data breaches

Insider data breaches set to increase due to remote work shift

26 Oct 2020

Most Popular

How Liberty navigated a site relaunch during a pandemic
Sponsored

How Liberty navigated a site relaunch during a pandemic

8 Oct 2020
Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020