Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Takes $60k Top Prize for Chrome Exploit

During Google’s Pwnium competition at the Hack in the Box conference in Kuala Lumpur, Malaysia this week, a clever teenage hacker leveraged two bugs within Chrome to defeat its protections and fully compromise the system used in the contest.

Google uses their Pwnium contest to address bugs and other exploitable vulnerabilities in their browser that were missed during code reviews and other QA processes. To date, they have paid more than million dollars in rewards to researchers.

During Google’s Pwnium competition at the Hack in the Box conference in Kuala Lumpur, Malaysia this week, a clever teenage hacker leveraged two bugs within Chrome to defeat its protections and fully compromise the system used in the contest.

Google uses their Pwnium contest to address bugs and other exploitable vulnerabilities in their browser that were missed during code reviews and other QA processes. To date, they have paid more than million dollars in rewards to researchers.

Some in the security research community are against the Pwnium contest, due to the fact that they are required to reveal the full details of their work, unlike the similar Pwn2Own contest.

“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27.

“Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.” 

A hacker going by the handle PinkiePie took the top prize for stomping Chrome earlier this year during Pwnium, and did it once again on Tuesday, netting the full $60,000 reward from the Internet’s technological giant.

“We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook,” wrote Chris Evans, a Software Engineer at Google in a company blog post. 

Google’s engineer fixed the bugs in less than 10 hours after the competition ended. They will publish additional technical information once other platforms have been patched.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.