Connect with us

Hi, what are you looking for?



Google’s Chrome Web Browser Hacked at CanSecWest

Google showed a great deal of confidence ahead of the CanSecWest conference this year when it announced plans to offer up to $1 million in rewards for a successful exploit against its Chrome browser. The company even launched its own Pwnium contest.

Google showed a great deal of confidence ahead of the CanSecWest conference this year when it announced plans to offer up to $1 million in rewards for a successful exploit against its Chrome browser. The company even launched its own Pwnium contest.

Unfortunately for Google, Chrome got dinged for the first time in the history of CanSecWest. Wednesday, security researcher Sergey Glazunov used two separate bugs to compromise the browser as part of Pwnium, earning a $60,000 reward. According to Sophos Senior Consultant Graham Cluley, Glazunov discovered a remote code execution vulnerability that could be used by hackers in drive-by attacks to install and run code.

“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry,” Sundar Pichai, Google’s senior vice president of Google Chrome, wrote on Google+. “Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

Not long after Glazunov’s success, researchers at VUPEN Security exploited the browser as well at CanSecWest’s annual Pwn2Own contest using a pair of zero-day vulnerabilities to take control of a fully-patched PC running 64-bit Windows 7 (SP1).

“We wanted to show that Chrome was not unbreakable,” VUPEN CEO and head of research Chaouki Bekrar told ZDNet. “Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.”

Prior to the event, Google plugged 14 security holes in the Chrome browser. Thirteen of the 14 were classified by Google as ‘High’ risk.

Historically, Google Chrome has escaped exploitation at Pwn2Own, with researchers having better luck against Microsoft Internet Explorer, Mozilla Firefox and Apple’s Safari browser. This year, Google created the Pwnium contest and withdrew its sponsorship from Pwn2Own because contestants were not required to reveal full details of their exploits to vendors.

Advertisement. Scroll to continue reading.

“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

CanSecWest will continue on until Friday in Vancouver.

Update: Google addressed the vulnerabilities exploited by Glazunov on Thursday with Chrome Version 17.0.963.78 on Windows, Mac, Linux and Chrome Frame. Google noted that the release fixes issues with Flash games and videos, and other security updates.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.