PornHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.
Now, it turns out that the world's most popular pornography site has paid its first bounty payout. But how much?
Yes, PornHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers PornHub's website.
The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771/CVE-2016-5773) in PHP's garbage collection algorithm when it interacts with other PHP objects.
One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:
The hack was complicated and required a massive amount of work that granted a "nice view of Pornhub’s /etc/passwd file," allowing the team to execute commands and make PHP run malicious syscalls.
The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.
The hack could have allowed the team to drop all Pornhub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.
Pornhub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.
The sophisticated hack on PornHub's servers that allowed the team to gain full access to the entire Pornhub database has been explained in two highly detailed blog posts. You can head on to them for technicalities of this attack.