Happy ending for Pornhub after vulnerability researchers gain access to entire user database

Now we know where Google’s engineers surf in their lunch break.

Graham Cluley
@gcluley

The Register reports:

A trio of hackers have gained remote code execution powers on servers used by adult entertainment outlet Pornhub, using a complex hack that revealed twin zero day flaws in PHP.

Google sofware intern and security boffin Ruslan Habalov (@evonide) detailed the Return Orientated Programming hack in detailed debriefing explaining how he and fellow hackers @_cutz and Dario Weißer @haxonaut gained access to the entire Pornhub database including sensitive user information.

Sign up to our newsletter
Security news, advice, and tips.

Regular readers will recall that earlier this year Pornhub announced its bug bounty program, asking vulnerability researchers to help harden its security.

The researcher threesome rose to the challenge, and earned themselves a tasty US $20,000 from Pornhub for their efforts. The Internet Bug Bounty threw an extra US $2,000 into the mix for the discovery of the PHP zero-day vulnerabilities.

In the wrong hands, vulnerabilities like these could have caused enormous damage to the x-rated website and its many clandestine users, as well as potentially other sites too.

So, a happy ending all round.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.