PornHub Pays Hackers $20,000 for its first Bounty Payout

The world's most popular pornography site has paid its first bounty payout. But how much?
US $20,000!- PornHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.

PornHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers PornHub's website.

The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771/CVE-2016-5773) in PHP's garbage collection algorithm when it interacts with other PHP objects.

One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:

  • site/album_upload/create
  • site/uploading/photo

This zero-day flaw let the researchers reveal the address of the server's POST data, allowing them to craft a malicious payload and thereby executing rogue code on PornHub's server.
The hack was complicated and required a massive amount of work that granted a "nice view of Pornhub’s /etc/passwd file," allowing the team to execute commands and make PHP run malicious syscalls.

The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.
The hack could have allowed the team to drop all Pornhub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.

The Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days. 

The team has been explained technicalities of this attack in two highly detailed blog posts.


The owner of will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.Report any Broken Download linkon Blogmytuts Facebook Page. IF YOU WANT TO BORROW MY CONTENT PLEASE CONTACT US..
Share on Google Plus

About Jaime Lacson

A Freelance Computer Tech with knowledge about computer, router and mobile phones, especially in Upgrade and Downgrade OS, Software and Hardware troubleshooting. follow me at Google+
    Blogger Comment
    Facebook Comment