IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

White hat hackers access full database of Pornhub members

Two separate PHP zero-days net researchers $20,000

Hackers have discovered several critical vulnerabilities in Pormhub's security, which could have left users' sensitive information open to discovery.

The flaw was found by three security researchers - Google intern Ruslan Habalov, along with Dario Weier and @_cutz. It involved two zero-day exploits in PHP, which eventually allowed them to execute remote code.

The trio also had access to Pornhub's full database, which included users' personal information and browsing data, as well as the full source code of all the sites in the Pornhub network.

Three researchers submitted a report as part of the site's bug bounty programme, which netted them a $20,000 (15,200) bounty - just under the program's maximum payout of $25,000.

The Internet Bug Bounty organisation also contributed a reward of $2,000 (1,500) to the researchers.

"Pornhub's bug bounty program and its relatively high rewards on Hackerone caught our attention," Habalov wrote in his blog post detailing the hack. "That's why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities."

"We want to highlight the necessity of such programs," he went on. "As you can see, offering high bug bounties can motivate security researchers to find bugs in underlying software. This positively impacts other sites and unrelated services as well."

IT Pro approached Pornhub for comment, but had received none at the time of publication, though the flaws in PHP have now been patched.

12/05/2016: Pornhub launches $25,000 bug bounty programme

Pornhub has launched a bug bounty programme, in an attempt to shore up the site's security.

Porn has had an uneasy relationship with cybersecurity - for years, watching online porn was regarded as the quickest way to get yourself infected with something nasty.

Efforts have been made to clear up the perception of the industry, but porn sites are clearly still attractive to cybercriminals, as a rash of malvertising campaigns that hit sites including YouPorn and Pornhub last year clearly demonstrated.

Pornhub, owner of one of the largest and most popular adult video networks on the web, is now trying to tackle this, however.

The adult site has become one of the first in the world to publicly offer a bug bounty programme, which rewards hackers for finding and reporting security flaws, rather than exploiting them.

This marks the first time the company has taken its bounty programme, which is hosted on HackerOne, into the public domain, after operating tit as a private, invite-only beta for the past year, which helped the site resolve more than 20 security flaws.

"Like other major tech players have been doing as of late, we're tapping some of the most talented security researchers as a proactive and precautionary measure - in addition to our dedicated developer and security teams - to ensure not only the security of our site but that of our users, which is paramount to us," said Pornhub's vice-president Corey Price.

Virtuous 'white hat' hackers that report a bug can earn anything from $50 to $25,000 per exploit, but there are some serious restrictions on the programme.

For starters, there is a grand total of eleven vulnerability types that Pornhub will not accept, including cross site request forgery, rate limiting and click-jacking.

This is in addition to exploit categories like social engineering and physical intrusion, which are commonly banned for bounty hunters.

On top of that, any attempted penetration must avoid causing any disruption to the site's regular delivery of porn, lest the company risk angering its user-base.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022