The Register reports:
A trio of hackers have gained remote code execution powers on servers used by adult entertainment outlet Pornhub, using a complex hack that revealed twin zero day flaws in PHP.
Google sofware intern and security boffin Ruslan Habalov (@evonide) detailed the Return Orientated Programming hack in detailed debriefing explaining how he and fellow hackers @_cutz and Dario Weißer @haxonaut gained access to the entire Pornhub database including sensitive user information.
Regular readers will recall that earlier this year Pornhub announced its bug bounty program, asking vulnerability researchers to help harden its security.
The researcher threesome rose to the challenge, and earned themselves a tasty US $20,000 from Pornhub for their efforts. The Internet Bug Bounty threw an extra US $2,000 into the mix for the discovery of the PHP zero-day vulnerabilities.
In the wrong hands, vulnerabilities like these could have caused enormous damage to the x-rated website and its many clandestine users, as well as potentially other sites too.
So, a happy ending all round.
