Compliance Management, Network Security, Privacy, Vulnerability Management

Pornhub subscriber info exposed, but relax, it was a bug bounty exploit

Hackers were able to gain remote code execution and tap into the inner workings of popular porn site Pornhub, including a list of users. But fear not, it was a team of white hackers after a $20,000 bug bounty reward.

The team, led by Ruslan Habalov, detected two use-after-free vulnerabilities in PHP's garbage collection algorithm. Those flaws were remotely exploitable over PHP's unserialize function, as Habalov explained in precise detail on his Evonide blog.

The hack, according to Habalov, could have enabled his team to track and observe user behavior on the platform, leak the complete available source code of all sites hosted on the server, and then escalate further into the network or root the system.

He submitted the exploit on May 30 to Hackerone, a bug bounty platform. It took a mere few hours for Pornhub to fix the bug by removing calls to unserialize. On June 14, the team was paid $20,000 for its disclosure. Two days later, the team submitted the issues to PHP bug tracking system bugs.php.net, and on June 21 both bugs were fixed in PHP's security repository. On June 27, the team was again rewarded, this time by Hackerone IBB, with prize money: $2,000 ($1,000 for each vulnerability). On June 22, Pornhub resolved the issue on Hackerone.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.