White hat hackers access full database of Pornhub members

Two separate PHP zero-days net researchers $20,000

Hackers have discovered several critical vulnerabilities in Pormhub's security, which could have left users' sensitive information open to discovery.

The flaw was found by three security researchers - Google intern Ruslan Habalov, along with Dario Weier and @_cutz. It involved two zero-day exploits in PHP, which eventually allowed them to execute remote code.

The trio also had access to Pornhub's full database, which included users' personal information and browsing data, as well as the full source code of all the sites in the Pornhub network.

Three researchers submitted a report as part of the site's bug bounty programme, which netted them a $20,000 (15,200) bounty - just under the program's maximum payout of $25,000.

Advertisement
Advertisement - Article continues below

The Internet Bug Bounty organisation also contributed a reward of $2,000 (1,500) to the researchers.

"Pornhub's bug bounty program and its relatively high rewards on Hackerone caught our attention," Habalov wrote in his blog post detailing the hack. "That's why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities."

"We want to highlight the necessity of such programs," he went on. "As you can see, offering high bug bounties can motivate security researchers to find bugs in underlying software. This positively impacts other sites and unrelated services as well."

IT Pro approached Pornhub for comment, but had received none at the time of publication, though the flaws in PHP have now been patched.

12/05/2016: Pornhub launches $25,000 bug bounty programme

Pornhub has launched a bug bounty programme, in an attempt to shore up the site's security.

Porn has had an uneasy relationship with cybersecurity - for years, watching online porn was regarded as the quickest way to get yourself infected with something nasty.

Efforts have been made to clear up the perception of the industry, but porn sites are clearly still attractive to cybercriminals, as a rash of malvertising campaigns that hit sites including YouPorn and Pornhub last year clearly demonstrated.

Pornhub, owner of one of the largest and most popular adult video networks on the web, is now trying to tackle this, however.

The adult site has become one of the first in the world to publicly offer a bug bounty programme, which rewards hackers for finding and reporting security flaws, rather than exploiting them.

Advertisement
Advertisement - Article continues below

This marks the first time the company has taken its bounty programme, which is hosted on HackerOne, into the public domain, after operating tit as a private, invite-only beta for the past year, which helped the site resolve more than 20 security flaws.

"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure - in addition to our dedicated developer and security teams - to ensure not only the security of our site but that of our users, which is paramount to us," said Pornhub's vice-president Corey Price.

Virtuous 'white hat' hackers that report a bug can earn anything from $50 to $25,000 per exploit, but there are some serious restrictions on the programme.

For starters, there is a grand total of eleven vulnerability types that Pornhub will not accept, including cross site request forgery, rate limiting and click-jacking.

This is in addition to exploit categories like social engineering and physical intrusion, which are commonly banned for bounty hunters.

On top of that, any attempted penetration must avoid causing any disruption to the site's regular delivery of porn, lest the company risk angering its user-base.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019