Security Affairs
Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Researchers exploited PHP Zero-Days to Hack PornHub

A team of researchers has found a couple of critical flaws in PHP and exploited them to hack PornHub, on one of the most popular adult websites. Diclaimer: This article is written to discuss the security implications and technical aspects of a hack that was recently done. If you by anyway are offended by the […]

Researchers exploited PHP Zero-Days to Hack PornHub

A team of researchers has found a couple of critical flaws in PHP and exploited them to hack PornHub, on one of the most popular adult websites.

Diclaimer: This article is written to discuss the security implications and technical aspects of a hack that was recently done. If you by anyway are offended by the topic please feel free move on to other articles. The article is written with an information security perspective with stats and data relating to use keeping in mind professionals are going to read it. It has no explicit content whatsoever.

Pornhub or what many of us may have known as Sex Education 101, had recently organised a bug bounty competition and hence paid three highly dedicated security researchers to find  two major zero-day vulnerabilities.

Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771 and CVE-2016-5773) in PHP’s garbage collection algorithm when it interacts with other PHP objects.

“It all started by auditing Pornhub, then PHP and ended in breaking both…

  • We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone.
  • We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm.
  • Those vulnerabilities were remotely exploitable over PHP’s unserialize function.
  • We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f.Hackerone).

wrote Habalov.

Back to how to hack PornHub, the duo used PHP’s unserialize function on the website that handles data uploaded by users, mainly NSFW pictures or videos on paths including :

The zero-day flaw allowed the researchers to reveal the server’s POST data, allowing them to plant a malicious payload and thereby executing it to gainRemote Code Execution (RCE) capability on PornHub’s server.

“It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief,” added Habalov.

The flaw allowed them to hack PornHub, they gained a view of the path “/etc/passwd file” that allowed them to execute commands and make PHP run malicious syscalls.

Pornhub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

“Now why this sort of vulnerability matters to me ? ” , will definitely be a question you may ask yourself . Lets answer this “Sanskari “[cultured] side of you with some statistics.

 

hack PornHub

Pornhub is one of the biggest free porn sites on the surface web which got 21.2 billion visits in 2015, with 2.5 million visits per hour, 40,000 visits per minute and 6700 visits per second. It streams 75 GB per second of content and has a bandwidth use of 1892 PETABYTES.

That means one of us has definitely used it for “research” purposes at one point or another. Now how does this matter to the Internet ?

Well according to experts 37% the Internet is porn, which was quoted in 2010 and the number has gotten bigger with Mobile computing and Cloud getting in the mix. In fact, the numbers are so gargantuan that such domains have their own extensions like “.XXX “.

For those who still don’t believe me, please check out this article by Julie Ruvolo on Forbes.

And for those people who still question these numbers feel free to read  Ogi Ogas, one of the amazingly nerdy neuroscientists behind Billion Wicked Thoughts. He and co-author Sai Gaddam are sitting on what they think is “the most comprehensive collection of porn-use stats on the web.”

Happy Researching !!

About the Author: Joshua Bahirvani

Joshua Bahirvani 2Cyber Security Enthusiast and believer of Privacy in this Digital Age.

LinkedIn : https://in.linkedin.com/in/jbahirvani15

Peerlyst: https://www.peerlyst.com/users/joshua-bahirvani

Twitter : @B15joshua

Medium : @jbahirvani15

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hack PornHub, hacking)