Three security researchers have collected more than $20,000 (£15,000) in bounties after gaining access to the inner workings of a major pornography website, including sensitive data on its users.
The hackers, one of whom is a software engineer intern at Google, were awarded $20,000 under a bounty programme run by Pornhub, and another $2,000 from the Internet Bug Bounty programme for finding two serious flaws in PHP in the course of their activities.
Ruslan Habalov, a security researcher and Google intern, carried out the complex hack along with penetration tester Dario Weißer and a third individual using the handle cutz, Habalov said in a detailed blog post.
The attack, carried out in May, would have allowed hackers to copy the site’s complete user database, track user behaviour, leak the source code of all the sites hosted on the server and gain root access to the system, Habalov said.
“Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls,” he wrote.
The site fixed the issue immediately by changing the behaviour of PHP, and the two PHP bugs were fixed in late June, according to Habalov.
The exploit demonstrates the continued vulnerability of major websites and the user data they hold to less scrupulous hackers, who have in recent weeks leaked data on hundreds of millions of users of sites including LinkedIn and MySpace.
The password data from LinkedIn has since been used to breach other accounts held by prominent individuals, including Facebook chief executive Mark Zuckerberg, who used the same password on multiple services.
Another recent hack affected about two million users of Ubuntu Linux’s user forums.
Are you a security pro? Try our quiz!
Rights group argues ChatGPT tendency to generate false information on individuals violates GDPR data protection…
European Commission says Apple's iPadOS is 'gatekeeper' due to large number of businesses 'locked in'…
As the cloud continues to be an essential asset for all businesses, developing and maintaining…
Internatinal conference in Vienna calls for controls on AI-powered autonomous weapons to ensure humans remain…
Major Taiwan chip assembly and test firm KYEC to sell Jiangsu subsidiary, exit mainland China…
As deepfake technology continues to blur the lines between reality and deception, businesses and individuals…