back to article PHP flaws allowed God mode access to top smut site

A trio of hackers have gained remote code execution powers on servers used by adult entertainment outlet Pornhub, using a complex hack that revealed twin zero-day flaws in PHP. Google sofware intern and security boffin Ruslan Habalov (@evonide) detailed the Return Orientated Programming hack in detailed debriefing explaining …

  1. Sebastian A

    Or... and hear me out here...

    "Google intern hastily locates security vulnerability in Pornhub site to justify his frequent visits to the site to Google HR."

    1. benderama

      Re: Or... and hear me out here...

      Any intern capable of that deserves to be at Google, or anywhere else

  2. Anonymous Coward
    Anonymous Coward

    Frequent visitors don't necessarily log in, etc.

    Some would leave no info except IP address, time of visit and 'areas of interest'.

    You'd have to be a fairly serious pr0nophile to get to the point where you need to login to a free pornsite.

    1. NotBob

      Re: Frequent visitors don't necessarily log in, etc.

      People download apps to view free porn. There was an article about it some time ago. Logging in seems more likely to me...

      1. Kurt Meyer

        Re: Frequent visitors don't necessarily log in, etc.

        @ NotBob

        "People download apps to view free porn."

        Shouldn't that be "Stupid people download apps to view free porn."?

        I can't believe that anyone has trouble finding free porn.

        1. allthecoolshortnamesweretaken

          Re: Frequent visitors don't necessarily log in, etc.

          "I can't believe that anyone has trouble finding free porn."

          In soviet russia malware internet, porn finds you!

          1. Francis Boyle Silver badge

            Let me fix that for you

            You'd have to be a fairly serious pr0nophile to get to the point where you need to login to a free pornsite wity a name that isn't something like Chet Rockhard.

            1. Mpeler
              Paris Hilton

              Re: Let me fix that for you

              Or Myles Long.....

  3. Anonymous Coward
    Anonymous Coward

    "The research team says Pornhub was "very polite", competent, and generous."

    Why shouldn't they be? They are running a legal business - and apparently have some concern for their users' privacy.

    In any walk of life it is those who make a big claim to a moral high ground who are most likely to abuse their members.

    1. Anonymous Coward
      Anonymous Coward

      re: Why shouldn't they be?

      Because some companies get upset when you point out holes in their security infrastructure. It's nothing to do with the line of business they're in.

    2. IsJustabloke
      Trollface

      Snigger...

      " abuse their members"

      *snigger*

      1. Anonymous Coward
        Anonymous Coward

        Re: Snigger...

        "*snigger*"

        I tried several phrasings of that sentence to cover many organisations who are theoretically upstanding but get upset when someone points out a security hole. The final phrasing was an unintentional pun - but I thought I'd leave the "fnarr" opportunity for someone else. :-)

        1. Mpeler
          Pint

          Re: Snigger...

          Erm, Ashley Madison?

  4. Medixstiff

    What I want to know.

    Is why the hell Pornhub has 'share" buttons for social media sites like Facebook.

    I mean seriously who is going to let their friends know their dirty little viewing habits by sharing them for the world to see?

    Not too mention prospective future employers, doing a search of their profile.

    1. joeW

      Re: What I want to know.

      Not only that, but Facebook will actually block pornhub/xvideos/xhamster links if you try to send them via messenger - I can only imagine the same is true for openly sharing them on your profile.

      1. Velv
        Paris Hilton

        Re: What I want to know.

        JoeW: "Not only that, but Facebook will actually block pornhub/xvideos/xhamster links if you try to send them via messenger"

        We won't make any inferences from the fact you know this...

        <snigger>

      2. Mpeler
        Paris Hilton

        Re: What I want to know - facebork blocking links

        As John McAfee says, no one should have to use xhamster...

    2. Kane
      Coat

      Re: What I want to know.

      "...dirty little viewing habits..."

      And that, right there, is a statement that tells me all about you and your particular views around sex.

      "why the hell Pornhub has 'share" buttons for social media sites like Facebook"

      So that people who are not prudes about sexual intercourse, can share with other like-minded people who are not prudes about sexual intercourse, their favourite videos.

      Consensual sex in the missionary position for the sole purpose of procreation, anyone? No, I didn't think so - mine's the fully "waterproof" PVC one in red and black, thanks.

    3. Anonymous Coward
      Anonymous Coward

      Re: What I want to know.

      "Not too mention prospective future employers, doing a search of their profile."

      Any employer doing that in the UK would be breaking the employment rules on freedom of legal sexual preferences. Only the religions get an exemption for their clergy - equal rights employment laws must be applied for ordinary jobs in their organisation.

      1. Anonymous Coward
        Anonymous Coward

        Re: What I want to know.

        I'm as likely to want to share a blow job video as I am to share the fact I just bought an game on Amazon or went shopping at Tescos. The facebook share button seems as (ir)relevant wherever it occurs. But Management love a bit of social network integration, it's so up to date and with it!

        1. Brewster's Angle Grinder Silver badge

          Re: What I want to know.

          I have feature requests for it.

        2. waldo kitty
          Facepalm

          Re: What I want to know.

          I'm as likely to want to share a blow job video as I am to share the fact I just bought an game on Amazon or went shopping at Tescos. The facebook share button seems as (ir)relevant wherever it occurs. But Management love a bit of social network integration, it's so up to date and with it!

          you are aware that that little button is what allows them to track you, right? you don't have to use it... just the fact that it is there and your system requested it gives them the information they need to follow you around...

          1. Anonymous Coward
            Anonymous Coward

            Re: you are aware that that little button is what allows them to track you, right?

            Really? You sure the browser doesn't 304 that? Whatever, I use noscript and I don't have a facebook account so they're tracking a single browser requesting a graphic from some sites. Cheeky but unlikely to get me sacked.

      2. Robert Moore

        Re: What I want to know.

        > Any employer doing that in the UK would be breaking the employment rules on freedom of legal sexual preferences

        I am sure they will call you up and let you know that your porn browsing habits are the reason you were not hired.

        Since you will never know why they didn't hire you, the reason can be anything they like.

        Didn't feel he/she would be a good fit with the company.

        Didn't interview well.

        Did not have (Skill X)

      3. Aitor 1

        Re: What I want to know.

        Illegal, so what? they just hire another company to do a "background check", from outside the EU, and all happy, except the idiot who shares that.

    4. Anonymous Coward
      Anonymous Coward

      Re: What I want to know.

      Well, a female friend of my wife and I shared on facebook that she likes a particular brand of S&M apparel. A mistake on her privacy modes allowed us to see something that was quite obviously not for us.

      Anon, as I dont want them to know we know (we don't care, and we are quite kinky ourselves but they might care).

  5. Brewster's Angle Grinder Silver badge
    Trollface

    Yes, I'm a weretroll and it's that time of the lunar cycle for me.

    So garbage collectors, that were meant to protect us from all those buffer overrun bugs, are themselves complex bit of software subject to exploitable bugs? Whaddayaknow.

    1. HereIAmJH

      Re: Yes, I'm a weretroll and it's that time of the lunar cycle for me.

      Garbage collectors help to avoid memory leaks from objects not being freed after use. Bounds checking is for buffer overruns. And it's ridiculous that it's not the default setting on modern compilers.

  6. Anonymous Coward
    Anonymous Coward

    Writeup

    That is a fantastic write-up that they produced. Thank you for linking to it.

  7. Aodhhan

    Rumor is

    ...they would have found these exploits faster, but everyone kept taking long bathroom breaks.

    However, I do agree with the article. I'm a bit shocked about PHP without JSON.

    Time to begin coding like it's 2016, not 2006.

  8. Jamie Jones Silver badge

    Zero day?

    The identified flaws are patched in PHP versions five and seven released last month. ®

    If they were fixed a month ago, how come they are still zero day?

  9. Inachu

    WOOT FREE PORN FOREVER!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like