Pornhub subscriber info exposed, but relax, it was a bug bounty exploit

A hack could have revealed user info on Pornhub subscribers.
A hack could have revealed user info on Pornhub subscribers.

Hackers were able to gain remote code execution and tap into the inner workings of popular porn site Pornhub, including a list of users. But fear not, it was a team of white hackers after a $20,000 bug bounty reward.

The team, led by Ruslan Habalov, detected two use-after-free vulnerabilities in PHP's garbage collection algorithm. Those flaws were remotely exploitable over PHP's unserialize function, as Habalov explained in precise detail on his Evonide blog.

The hack, according to Habalov, could have enabled his team to track and observe user behavior on the platform, leak the complete available source code of all sites hosted on the server, and then escalate further into the network or root the system.

He submitted the exploit on May 30 to Hackerone, a bug bounty platform. It took a mere few hours for Pornhub to fix the bug by removing calls to unserialize. On June 14, the team was paid $20,000 for its disclosure. Two days later, the team submitted the issues to PHP bug tracking system bugs.php.net, and on June 21 both bugs were fixed in PHP's security repository. On June 27, the team was again rewarded, this time by Hackerone IBB, with prize money: $2,000 ($1,000 for each vulnerability). On June 22, Pornhub resolved the issue on Hackerone.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS