Two months ago, PornHub launched its bug bounty program(finding vulnerabilities) so that it could motivate hackers and bug hunters, to find and report flaws in its site and get rewarded. So, when hackers founded the vulnerability in its website then, world’s most popular pornography site paid the guys with the huge amount of $20,000.
Yeah, you got it right U.S. $20,000 was paid by the site to a team of three researchers. The, bug that they founded was- they were able to gain Remote Code Execution (RCE) capability on its servers using zero-day vulnerability in PHP(vulnerability in PHP that allows remote attackers to gain full access), and this the programming language that powers the site. The three researchers Dario Weiber, cutz and Ruslan Habalov, discovered two use, after free vulnerabilities(CVE-2016-5771/CVE-2016-5773) in PHP’s garbage collection algorithm, when it interacts with other PHP objects. One of the flaw is in uploading the hot pictures, on multi paths through
- http://www.pornhub.com/album_upload/ccreate
- http://www.pornhub.com/uploading/photo
This zero-ay flaw in PHP let’s researchers reveal the address of server’s post data, allows them to run any malicious code and execute this rogue code on PornHub’s server. The hack was tough and also required a hard work, which also included the work of running malicious system calls.
This, PHP zero-day vulnerability exists and effects all versions of PHP of 5.3 and higher, but now they have fixed it. This bug could have allowed the hackers to track all the users and gain their informations, disclose all source code of co-hosted websites and they may also had gained the root privileges of the site, but they didn’t tried this.
PornHub paid them a handsome amount of $20,000 for their extraordinary efforts, and with this they were also paid an amount of $2,000 by Internet Bug Bounty HackerOne for their incredible work for discovering the PHP zero-days.
So, with this it also revealed an important vulnerability in PHP, which also gave an alert to many of the websites which were unaware of it.
Visit our website daily for latest tech news. Follow Us on Instagram for awesome tech stuff. Also, Join our Telegram Group and connect directly with Admin.