Hackers Collect £15,000 For Pornhub Exploit

The attack provided complete access to Pornhub’s database and exposed two PHP flaws

Three security researchers have collected more than $20,000 (£15,000) in bounties after gaining access to the inner workings of a major pornography website, including sensitive data on its users.

The hackers, one of whom is a software engineer intern at Google, were awarded $20,000 under a bounty programme run by Pornhub, and another $2,000 from the Internet Bug Bounty programme for finding two serious flaws in PHP in the course of their activities.

CODE_n14_test_installation_02

Database access

Ruslan Habalov, a security researcher and Google intern, carried out the complex hack along with penetration tester Dario Weißer and a third individual using the handle cutz, Habalov said in a detailed blog post.

The attack, carried out in May, would have allowed hackers to copy the site’s complete user database, track user behaviour, leak the source code of all the sites hosted on the server and gain root access to the system, Habalov said.

“Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls,” he wrote.

The site fixed the issue immediately by changing the behaviour of PHP, and the two PHP bugs were fixed in late June, according to Habalov.

Vulnerability

The exploit demonstrates the continued vulnerability of major websites and the user data they hold to less scrupulous hackers, who have in recent weeks leaked data on hundreds of millions of users of sites including LinkedIn and MySpace.

The password data from LinkedIn has since been used to breach other accounts held by prominent individuals, including Facebook chief executive Mark Zuckerberg, who used the same password on multiple services.

Another recent hack affected about two million users of Ubuntu Linux’s user forums.

Are you a security pro? Try our quiz!