The Best Friend You Didn’t Know You Had

I was reading the other day about how some hackers found a serious security flaw in php. php is a language used on Web servers to deliver content to your browsers; WordPress is written in php and thus every time you load a page here at MR&HI, code written in php is being run.

A LOT of the Web is written in php, so finding a security issue in that language is significant, but this episode is not so much about one particular flaw as it is about the constant battle between good and evil. This article gets technical fast, but there are a couple of important takeaways that you don’t need to be a geek to understand.

Pornhub offered $20,000 to anyone who could hack them, via the site HackerOne. This was a big enough incentive for a group of hackers to really go after them. They discovered one questionable practice by the programmers of that site, but it took a lot of long, hard work for them to turn that into an actual hack, digging through the source code of php itself until they managed to create an attack that could load and run code on the server.

Immediately they disclosed the vulnerability through responsible channels, earned their reward, and both Pornhub and the wardens of php moved to close the bug. Pornhub paid up the $20K, and HackerOne threw in a bonus.

And even shorter version: Pornhub paid some real dollars and made the Web safer for all of us.

You and I are fantastically lucky that there are people out there who will use their skills for a low-five-figure payoff, rather than exploiting that weakness for potentially millions. These are the white-hat hackers, incredibly skilled people who can write php-unserialize fuzzers to discover “unexpected” responses, but use their skills to make the world a better place.

Eventually these guys will have the hacking weapons that our own government lost control of, and when that happens, the Internet will become far more secure. In fact, if I were king of this country I’d give the good guys those tools right now. It can’t be only the Russians using that stuff. Worth noting: our government has discovered many security holes in the software that makes the world run, and they didn’t report those discoveries, leaving the holes wide open for them (and everyone else) to exploit. Our own government is not White Hat.

When you hear about a new terrible hole in security, remember: that’s when honest people found the hole. It’s geeks like Evonide that found it, and reported it. Often they chased that hole because some site like Pornhub gave them a reason to. So let’s stop and appreciate what the unsung good guys have done for us.

2

4 thoughts on “The Best Friend You Didn’t Know You Had

  1. Possibly the most annoying part is that they (the government) are so brazen about it. During the Apple/terrorism thing a few years ago, the FBI literally announced that (a) they knew that nearly a hundred million Americans were vulnerable to identity/information theft, that (b) they knew exactly what the exploit was, and (c) they were going to keep it a secret so that they could use it on an incredibly tiny handful of criminals who themselves were so brazen that they should have been caught ahead of time anyway.

    • And somehow that was to bolster their case that Apple should give them more access to personal data. “There should be no one we cannot hack!”

  2. Rather than raise a glass to 4000 starving Mexicans on Drinko-de-Mayo, think I’ll celebrate this episode instead and head on over to Pornhub.

  3. Pingback:

    Vote -1 Vote +1
    An Exchange with HackerOne | Muddled Ramblings and Half-Baked Ideas

Leave a Reply

Your email address will not be published. Required fields are marked *