Three security researchers have collected more than $20,000 (£15,000) in bounties after gaining access to the inner workings of a major pornography website, including sensitive data on its users.
The hackers, one of whom is a software engineer intern at Google, were awarded $20,000 under a bounty programme run by Pornhub, and another $2,000 from the Internet Bug Bounty programme for finding two serious flaws in PHP in the course of their activities.
Ruslan Habalov, a security researcher and Google intern, carried out the complex hack along with penetration tester Dario Weißer and a third individual using the handle cutz, Habalov said in a detailed blog post.
The attack, carried out in May, would have allowed hackers to copy the site’s complete user database, track user behaviour, leak the source code of all the sites hosted on the server and gain root access to the system, Habalov said.
“Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls,” he wrote.
The site fixed the issue immediately by changing the behaviour of PHP, and the two PHP bugs were fixed in late June, according to Habalov.
The exploit demonstrates the continued vulnerability of major websites and the user data they hold to less scrupulous hackers, who have in recent weeks leaked data on hundreds of millions of users of sites including LinkedIn and MySpace.
The password data from LinkedIn has since been used to breach other accounts held by prominent individuals, including Facebook chief executive Mark Zuckerberg, who used the same password on multiple services.
Another recent hack affected about two million users of Ubuntu Linux’s user forums.
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…