14 DAY TRIAL // A team of three researchers went as far as to search and discover a PHP zero-day in order to hack PornHub as part of its official bug bounty program.
The path the three took to hack PornHub is something not usually seen in regular security research. Because PornHub servers were somewhat secure from common attack vectors, the researchers were forced to get creative with their attack routine.
What resulted was a zero-day in PHP, the programming language used to power PornHub's website.
Zero-day affects all servers running PHP 5.3 and higher
The issue (CVE-2016-5771/CVE-2016-5773) is a use-after-free vulnerability that occurs when PHP's garbage collection algorithm interacts with other specific PHP objects.
One of those is PHP's unserialize function, which handles data taken from user-supplied objects, such as user uploads, and moves it across various sections of the server for processing.
By leveraging this zero-day, the three researchers, Dario Weißer (@haxonaut), cutz, and Ruslan Habalov (@evonide), were able to leak the address of the server's POST data.
This allowed them to craft a payload that used memory freed by PHP's garbage collector after the PHP unserialize component did its job, which executed rogue code on PornHub's server.
Their exploitation was made difficult by the fact that PornHub used a custom-compiled version of PHP, but the researchers pulled it off regardlessly.
The PHP zero-day they discovered affects all PHP versions from 5.3 and higher, which the PHP project fixed in the meantime.
Researchers earned $22,000 for their hard work
Since the researchers were able to achieve a PornHub RCE (Remote Code Execution), they received one of Pornhub's highest bug bounties, of $20,000.
What's more, the HackerOne the Internet Bug Bounty committee also awarded the researchers an additional $2,000 for the discovery and proper disclosure of the PHP zero-day.
To understand the massive amount of work that went into this theoretical attack on PornHub's servers, the researchers penned two incredibly long and highly detailed blog posts about the technicalities of this attack, with a third one announced this coming week.