PornHub Pays Hackers $20,000 to Find Zero-day Flaws in its Website

Cyber attacks get bigger, smarter, more damaging.

P*rnHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.

Now, it turns out that the world’s most popular prngraphy site has paid its first bounty payout. But how much?

US $20,000!

Yes, P*rnHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers P*rnHub’s website.

The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771/CVE-2016-5773) in PHP’s garbage collection algorithm when it interacts with other PHP objects.

One of those is PHP’s unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:

• http://www.PrnHb.com/album_upload/create
• http://www.PrnHb.com/uploading/photo
  This zero-day flaw let the researchers reveal the address of the server’s POST data, allowing them to craft a malicious payload and thereby executing rogue code on P*rnHub’s server.

The hack was complicated and required a massive amount of work that granted a “nice view of P*rnHub’s /etc/passwd file,” allowing the team to execute commands and make PHP run malicious syscalls.

The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.

The hack could have allowed the team to drop all P*rnHub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.

P*rnHub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

The sophisticated hack on P*rnHub’s servers that allowed the team to gain full access to the entire P*rnHub database has been explained in two highly detailed blog posts. You can head on to them for technicalities of this attack.