PornHub gets hacked! Pays $20,000 for hack that allowed God mode access to its website

Anybody can hack Pornhub with this zero-day built by researchers

We end up hearing so many stories of people going to the extremes to achieve what they want. And, this team of three researchers is no different.

In order to hack PornHub as part of its official bug bounty program, the three chose to select a path that is rather unusual in security research. The team went to the extent of searching PHP zero-day vulnerability in the PornHub website.

The researchers made their find public after Pornhub had patched the vulnerability. Their research can be found here and here.

PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

The researchers were compelled to think out of the box for its attack, as PornHub servers are fairly secure from common attack vectors. And the outcome was a zero-day in PHP, the programming language used to power PornHub’s website.

The problem (CVE-2016-5771/CVE-2016-5773) is a use-after-free vulnerability that takes place when PHP’s garbage collection algorithm intermingles with other particular PHP objects.

PHP’s unserialize function is among one of those, which takes care of data taken from user-supplied objects, such as user uploads and transports it across different sections of the server for processing.

The three researchers, Dario Wei├čer (@haxonaut), Ruslan Habalov (@evonide), and cutz by leveraging this zero-day were able to leak the address of the server’s POST data.

This let them craft a payload that used memory released by PHP’s garbage collector after the PHP unserialize element performed its task, which implemented rogue code on PornHub’s server.

The fact that PornHub used a custom-compiled version of PHP made their exploitation more difficult. Despite this, the researchers were able to complete the task.

The PHP zero-day they exposed affects all PHP versions of 5.3 and higher, which the PHP project fixed in the meanwhile.

The researchers received one of Pornhub’s highest bug bounties, of $20,000, since they were able to achieve a PornHub RCE (Remote Code Execution).

Remote Code Execution (RCE) occurs when an attacker is able to upload code to a website and execute it. A bug in a PHP application may accept user input and evaluate it as PHP code. For example, this could allow an attacker to tell the website to create a new file containing code that grants the attacker full access to your website. When an attacker sends code to the web application and it is executed, granting the attacker access, they have exploited RCE vulnerability.

In addition, the researchers also got an additional $2,000 for the discovery and proper revelation of the PHP zero-day by the HackerOne the Internet Bug Bounty committee.