A team of three hackers managed to gain remote code execution control of one the world's most popular adult entertainment websites thanks to some serious vulnerabilities in PHP. Using a complex hacking mechanism, they discovered a zero-day exploit in PHP that could be used to hack PornHub's website.
Researchers have said that these exploits could have been used to dump the entire database of the site, track its users, and leak source code. Submitting a report through PornHub's bug bounty program, the trio of security researchers received $20,000 for their efforts. PornHub had only launched its bug bounty program two months ago, and is apparently already saving itself from some critical security issues. Internet Bug Bounty paid an additional $2,000 for the PHP zero day discovery.
PHP zero-day flaw exploited to hack into PornHub
Google intern and security researcher Ruslan Habalov along with Dario WeiBer and a hacker going by the name of "cutz" are responsible for the discovery of these exploits in PHP. The team informed PornHub in May that they could gain access to the entire database, including sensitive user information. Researchers explained that CVE-2016-5771 and CVE-2016-5773 are use-after-free vulnerabilities that are caused when PHP's garbage collection algorithm interacts with certain PHP objects. One of these objects is PHP's unserialize function that handles data taken from user-supplied objects, including user uploads.
Researchers discovered that this function could be remotely exploited, resulting in data leaks of sensitive user information among other similar disasters for PornHub. "It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief,” Habalov said in a very detailed blog post.
PornHub fixed the problem by removing calls to this unserialize function. PHP finally patched the problems on June 23 with the release of PHP 7.0.8, 5.6.23 and 5.5.37.
The research team has said that the exploitation was complex, with multiple stages. Those interested in the technical details can visit the two detailed blog posts published by the researchers to understand the massive amount of work that went into this complex attack strategy.
