White hat hackers access full database of Pornhub members
Two separate PHP zero-days net researchers $20,000
Hackers have discovered several critical vulnerabilities in Pormhub's security, which could have left users' sensitive information open to discovery.
The flaw was found by three security researchers - Google intern Ruslan Habalov, along with Dario Weier and @_cutz. It involved two zero-day exploits in PHP, which eventually allowed them to execute remote code.
The trio also had access to Pornhub's full database, which included users' personal information and browsing data, as well as the full source code of all the sites in the Pornhub network.
Three researchers submitted a report as part of the site's bug bounty programme, which netted them a $20,000 (15,200) bounty - just under the program's maximum payout of $25,000.
The Internet Bug Bounty organisation also contributed a reward of $2,000 (1,500) to the researchers.
"Pornhub's bug bounty program and its relatively high rewards on Hackerone caught our attention," Habalov wrote in his blog post detailing the hack. "That's why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities."
"We want to highlight the necessity of such programs," he went on. "As you can see, offering high bug bounties can motivate security researchers to find bugs in underlying software. This positively impacts other sites and unrelated services as well."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
IT Pro approached Pornhub for comment, but had received none at the time of publication, though the flaws in PHP have now been patched.
12/05/2016: Pornhub launches $25,000 bug bounty programme
Pornhub has launched a bug bounty programme, in an attempt to shore up the site's security.
Porn has had an uneasy relationship with cybersecurity - for years, watching online porn was regarded as the quickest way to get yourself infected with something nasty.
Efforts have been made to clear up the perception of the industry, but porn sites are clearly still attractive to cybercriminals, as a rash of malvertising campaigns that hit sites including YouPorn and Pornhub last year clearly demonstrated.
Pornhub, owner of one of the largest and most popular adult video networks on the web, is now trying to tackle this, however.
The adult site has become one of the first in the world to publicly offer a bug bounty programme, which rewards hackers for finding and reporting security flaws, rather than exploiting them.
This marks the first time the company has taken its bounty programme, which is hosted on HackerOne, into the public domain, after operating tit as a private, invite-only beta for the past year, which helped the site resolve more than 20 security flaws.
"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure - in addition to our dedicated developer and security teams - to ensure not only the security of our site but that of our users, which is paramount to us," said Pornhub's vice-president Corey Price.
Virtuous 'white hat' hackers that report a bug can earn anything from $50 to $25,000 per exploit, but there are some serious restrictions on the programme.
For starters, there is a grand total of eleven vulnerability types that Pornhub will not accept, including cross site request forgery, rate limiting and click-jacking.
This is in addition to exploit categories like social engineering and physical intrusion, which are commonly banned for bounty hunters.
On top of that, any attempted penetration must avoid causing any disruption to the site's regular delivery of porn, lest the company risk angering its user-base.
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.