During Google’s Pwnium competition at the Hack in the Box conference in Kuala Lumpur, Malaysia this week, a clever teenage hacker leveraged two bugs within Chrome to defeat its protections and fully compromise the system used in the contest.
Google uses their Pwnium contest to address bugs and other exploitable vulnerabilities in their browser that were missed during code reviews and other QA processes. To date, they have paid more than million dollars in rewards to researchers.
Some in the security research community are against the Pwnium contest, due to the fact that they are required to reveal the full details of their work, unlike the similar Pwn2Own contest.
“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google security team members Chris Evans and Justin Schuh blogged Feb. 27.
“Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing…Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”
A hacker going by the handle PinkiePie took the top prize for stomping Chrome earlier this year during Pwnium, and did it once again on Tuesday, netting the full $60,000 reward from the Internet’s technological giant.
“We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook,” wrote Chris Evans, a Software Engineer at Google in a company blog post.
Google’s engineer fixed the bugs in less than 10 hours after the competition ended. They will publish additional technical information once other platforms have been patched.