A few months ago an adult entertainment website decided to improve its online security by introducing a bounty program, which it launched on HackerOne – a platform where cyber security specialists can test their skills and get paid for finding vulnerabilities and flaws. The bounty starts from as low as $50, reaching up to $15,000, but this one bounty that exposed a PHP flaw took away $20,000.
This flaw was discovered by some hackers from Germany, which allowed them to execute codes on servers that the porn site was hosted on. The vulnerability was initially in the PHP itself, which PHP did patch a few months back. However, for those of you who are curious to know what the flaw is, it is linked with use-after-free memory problems – which ‘works’ when the dumping algorithms communicates with other affiliated PHP codes. The more serious problem was the fact that it could have allowed cybercriminals to send customized scripts on the servers, ultimately allowing them to take control of the website, or even wipe it entirely clean.
According to Ruslan Habalov, who is studying computers and related systems at a German University, and is one of the three hackers who discovered the vulnerability, stated how this was a very serious issue, not just for PornHub, but any website with similar code architecture.
Since the website – according to Alexa – comes on top 100’s, meaning that PornHub’s daily visitors are more than half a billion on any given day. With this much traffic, if this flaw was not patched, people who have their accounts on the websites (their email addresses and passwords are saved on their servers), those accounts and passwords would have been breached. However, thanks to their efforts, the students were able to save a lot of embarrassments and break-ups, to which they were rewarded with $20,000 from PornHub with an additional $2000 from the bounty committee.
According to Habalov, this flaw was different. It took two different elements of PHP, which were then studied to find the flaw in the code; the online adult entertainment website channeled its information via an Unserialized PHP system connected with the Garbage Collection Algorithm, then allowing command delivery to their servers.
However, this problem allowed the students to discover and track the online behavior of PornHub’s visitors, download the websites source code, as well as gaining root access to the system and backend systems. According to the students, they said that using Unserialized PHP element for user input has always been a bad idea and that it has been more than nine years since this flaw was first discovered. They further added that almost all of the programmers working with PHP think that this flaw is only good in old PHP versions and not in the new ones – which only now is being reconsidered.
Furthermore, the hackers did not compromise the website, but instead uploaded a file stating a salutation from the HackerOne community and informed the admins about their findings.
Source: Info Security Magazine, HackerOne
You want to support Anonymous Independent & Investigative News? Please, follow us on Twitter: Follow @AnonymousNewsHQ
This article (Hackers Find a Flaw in PornHub and Save Millions from Embarrassments and Breakups) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com.
