Researchers exploited PHP Zero-Days to Hack PornHub

A team of researchers has found a couple of critical flaws in PHP and exploited them to hack PornHub, on one of the most popular adult websites.

Diclaimer: This article is written to discuss the security implications and technical aspects of a hack that was recently done. If you by anyway are offended by the topic please feel free move on to other articles. The article is written with an information security perspective with stats and data relating to use keeping in mind professionals are going to read it. It has no explicit content whatsoever.

Pornhub or what many of us may have known as Sex Education 101, had recently organised a bug bounty competition and hence paid three highly dedicated security researchers to find  two major zero-day vulnerabilities.

Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771 and CVE-2016-5773) in PHP’s garbage collection algorithm when it interacts with other PHP objects.

“It all started by auditing Pornhub, then PHP and ended in breaking both…

• We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone.
• We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm.
• Those vulnerabilities were remotely exploitable over PHP’s unserialize function.
• We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f.Hackerone).

” wrote Habalov.

Back to how to hack PornHub, the duo used PHP’s unserialize function on the website that handles data uploaded by users, mainly NSFW pictures or videos on paths including :

• http://www.pornhub.com/album_upload/create
• http://www.pornhub.com/uploading/photo

The zero-day flaw allowed the researchers to reveal the server’s POST data, allowing them to plant a malicious payload and thereby executing it to gainRemote Code Execution (RCE) capability on PornHub’s server.

“It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief,” added Habalov.

The flaw allowed them to hack PornHub, they gained a view of the path “/etc/passwd file” that allowed them to execute commands and make PHP run malicious syscalls.

Pornhub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

“Now why this sort of vulnerability matters to me ? ” , will definitely be a question you may ask yourself . Lets answer this “Sanskari “[cultured] side of you with some statistics.

 

Pornhub is one of the biggest free porn sites on the surface web which got 21.2 billion visits in 2015, with 2.5 million visits per hour, 40,000 visits per minute and 6700 visits per second. It streams 75 GB per second of content and has a bandwidth use of 1892 PETABYTES.

That means one of us has definitely used it for “research” purposes at one point or another. Now how does this matter to the Internet ?

Well according to experts 37% the Internet is porn, which was quoted in 2010 and the number has gotten bigger with Mobile computing and Cloud getting in the mix. In fact, the numbers are so gargantuan that such domains have their own extensions like “.XXX “.

For those who still don’t believe me, please check out this article by Julie Ruvolo on Forbes.

And for those people who still question these numbers feel free to read  Ogi Ogas, one of the amazingly nerdy neuroscientists behind A Billion Wicked Thoughts. He and co-author Sai Gaddam are sitting on what they think is “the most comprehensive collection of porn-use stats on the web.”

Happy Researching !!