Vulnerability researchers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022 hacking contest, including $450,000 for exploits targeting Microsoft Teams.
All ten hacking attempts were successful and Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, said the total amount of money awarded to participants was the biggest for a single day in the contest’s history.
A total of 16 zero-day vulnerabilities were exploited against Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.
The Teams exploits received the highest payouts — $150,000 has been awarded for each of three exploit chains. Masato Kinugawa leveraged a three-bug chain that included an injection, a misconfiguration and a sandbox escape. Hector “p3rr0” Peralta demonstrated an improper configuration, and the STAR Labs team used a zero-click remote code execution exploit that leveraged an injection and an arbitrary file write flaw.
There is one more attempt targeting Teams, scheduled for Friday, the last day of Pwn2Own.
Another significant bug bounty was earned by Manfred Paul — $100,000 for a Firefox sandbox escape exploit involving prototype pollution and improper input validation. The researcher has also earned $50,000 for a Safari hack.
The remaining exploits earned participants $40,000 each.
Researchers will also take a crack at hacking a Tesla Model 3 at Pwn2Own 2022, with two attempts scheduled for Thursday. Successfully hacking a car can earn participants up to $600,000 and a new Tesla.
This is the second Pwn2Own taking place this year. In April, at Pwn2Own Miami 2022, which focuses on industrial control systems (ICS), contestants earned a total of $400,000 for their exploits.
Related: White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021
Related: Printers Hacked for First Time at Pwn2Own
Related: $1.9 Million Paid Out for Exploits at China’s Tianfu Cup Hacking Contest
Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
