One of the largest adult websites, Pornhub, has been hacked, with the perps raking in $22,000 for the accomplishment.
Security researchers Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) attacked what Pornhub is built upon—PHP—and ended up successfully breaking it. They found two use-after-free vulnerabilities in PHP’s “garbage collection” algorithm, which are remotely exploitable over PHP’s unserialize function. In turn, they were able to gain remote code execution on pornhub.com.
Pornhub averages 18.9 billion views per year and more than 60 million daily visits, with four million people registered as Pornhub users, according to Alexa rankings. The flaws allowed the white hats to gain enough information to “dump the complete database of Pornhub including all sensitive user information,” such as the identities of those uploading risqué and explicit films, and those starring in them.
“Of course none of the above things were done and very careful attention was paid to respect the scope and limitations of the bug bounty program,” the researchers said.
For their efforts, they earned a $20,000 bug bounty on the site’s program (administered by Hackerone), and $2,000 from the Internet Bug Bounty committee.
“Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention,” they said in an analysis. “That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned.”
They added that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. However, there were no known vulnerabilities for newer PHP versions like PHP 5.6 or PHP 7.
“Hence, auditing it can be compared to squeezing an already tightly squeezed lemon,” they explained. “Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
To find an answer they implemented a specially-crafted fuzzer, turning up a few unexpected behavior instances.
“A tremendous amount of time was necessary to analyze potential issues,” they said. “After all, we could extract a concise proof of concept of a working memory corruption bug—a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm…After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work, a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
Photo © cunaplus