Security Experts:

Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Vulnerability researchers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022 hacking contest, including $450,000 for exploits targeting Microsoft Teams.

All ten hacking attempts were successful and Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, said the total amount of money awarded to participants was the biggest for a single day in the contest’s history.

A total of 16 zero-day vulnerabilities were exploited against Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.

The Teams exploits received the highest payouts — $150,000 has been awarded for each of three exploit chains. Masato Kinugawa leveraged a three-bug chain that included an injection, a misconfiguration and a sandbox escape. Hector “p3rr0” Peralta demonstrated an improper configuration, and the STAR Labs team used a zero-click remote code execution exploit that leveraged an injection and an arbitrary file write flaw.

There is one more attempt targeting Teams, scheduled for Friday, the last day of Pwn2Own.

Another significant bug bounty was earned by Manfred Paul — $100,000 for a Firefox sandbox escape exploit involving prototype pollution and improper input validation. The researcher has also earned $50,000 for a Safari hack.

The remaining exploits earned participants $40,000 each.

Researchers will also take a crack at hacking a Tesla Model 3 at Pwn2Own 2022, with two attempts scheduled for Thursday. Successfully hacking a car can earn participants up to $600,000 and a new Tesla.

This is the second Pwn2Own taking place this year. In April, at Pwn2Own Miami 2022, which focuses on industrial control systems (ICS), contestants earned a total of $400,000 for their exploits.

Related: White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021

Related: Printers Hacked for First Time at Pwn2Own

Related: $1.9 Million Paid Out for Exploits at China's Tianfu Cup Hacking Contest

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.