During Google’s Pwnium competition at the Hack in the Box conference in Kuala Lumpur, Malaysia this week, a clever teenage hacker leveraged two bugs within Chrome to defeat its protections and fully compromise the system used in the contest.
Google uses their Pwnium contest to address bugs and other exploitable vulnerabilities in their browser that were missed during code reviews and other QA processes. To date, they have paid more than million dollars in rewards to researchers.
Some in the security research community are against the Pwnium contest, due to the fact that they are required to reveal the full details of their work, unlike the similar Pwn2Own contest.
“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27.
“Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”
A hacker going by the handle PinkiePie took the top prize for stomping Chrome earlier this year during Pwnium, and did it once again on Tuesday, netting the full $60,000 reward from the Internet’s technological giant.
“We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook,” wrote Chris Evans, a Software Engineer at Google in a company blog post.
Google’s engineer fixed the bugs in less than 10 hours after the competition ended. They will publish additional technical information once other platforms have been patched.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
