Pornhub hacked: Hackers go away with $20,000 instead of exposing flaw

Pornhub gets hacked: Hackers go away with $20,000 instead of exposing user’s preferences

Porn sites have an amazingly huge number of subscribers. For porn site users, hacks of their preferred sites are nothing but nightmares. Everyone, including their family and friends, gets to know their squalid hobby. For Pornhub user were next on the list of shame. A group of hackers managed to access the data of millions of users of the site. Unlike the Ashley Madison’s case, Pornhub users are safe.

Pornhub, with the intention of keeping its site secure, launched a competition for hackers and security analysts to find vulnerabilities in the site. Two hackers exposed vulnerabilities that attackers can exploit remotely to access users data. Pornhub rewarded the hackers $20,000 for revealing the weaknesses.

PHP vulnerability exposed the users’ data. The vulnerability assured the hackers code execution permission. In June, PHP patched the bug. The flaw connects to a use-after-free memory bug that is a result of PHP’s garbage collection algorithm interaction with other PHP objects. The vulnerability thus allowed unauthenticated tracking of users activities in Pornhub.

The most dangerous aspect of the bug is the fact that it allowed code execution on the site’s servers. Hackers could erase all data on the site and download whatever data they needed, explained Ruslan Habalov, a computer science student in Germany. The student, studying at RWTH-Aachen University, was among the group that discovered the security flaw.

Pornhub is not a site to take security flaws for granted given it has over 60 million visitors a day. If a hacker exploited the flaw, the results would be disastrous due to the volume of subscribers of the site.

According to Evonide, Pornhub awarded the security researchers a $20,000 bounty and the grouped received another $2,000 prize from the Internet Bug Bounty Committee. They received the awards through HackerOne bug bounty program. The researcher reported the bug on May 30, a few weeks after Pornhub launched the bug competition.

“The bug connected two seemingly disparate aspects of PHP to create vulnerability,” Habalov explained. According to the computer science student, the site was transmitting data via PHP’s unserialize function and PHP’s garbage collection algorithm. The use-after-free PHP bug and the unserialize function PHP bug presence made code execution on Pornhub servers possible. Each of the bugs earned the two researchers $1,000 from the Internet Bug Bounty Committee.

Pornhub was quick to respond to the flaw security report. The company removed the unserialize function with PHP a few hours later. In June the site patched the security flaw. The hackers had no use for the data. Instead, they sent the report to Pornhub. If only all hacker were this noble.