google offering a million dollars to anyone able to exploit their chrome browser

webby

Administrator
Admin
Toys For Tots
55,472
23,792
Google has pledged cash prizes totaling $1 million to people who successfully hack its Chrome browser at next week's CanSecWest security conference.

one_million_dollars_cash.jpg


Google will reward winning contestants with prizes of $60,000, $40,000, and $20,000 depending on the severity of the exploits they demonstrate on Windows 7 machines running the browser. Members of the company's security team announced the Pwnium contest on their blog on Monday. There is no splitting of winnings, and prizes will be awarded on a first-come-first-served basis until the $1 million threshold is reached.

Now in its sixth year, the Pwn2Own contest at the same CanSecWest conference awards valuable prizes to those who remotely commandeer computers by exploiting vulnerabilities in fully patched browsers and other Internet software. At last year's competition, Internet Explorer and Safari were both toppled but no one even attempted an exploit against Chrome (despite Google offering an additional $20,000 beyond the $15,000 provided by contest organizer Tipping Point).

Chrome is currently the only browser eligible for Pwn2Own never to be brought down. One reason repeatedly cited by contestants for its lack of attention is the difficulty of bypassing Google's security sandbox.

"While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve," wrote Chris Evans and Justin Schuh, members of the Google Chrome security team. "To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards."
 
  • Thread starter
  • Staff
  • #4
they got their wish -

Google Chrome Browser First To Fall -

Though Google's Chrome was the only browser left unscathed at last year's CanSecWest's Pwn2Own hacking competition, this year it was the first one to fall. ZDNet reported that the Google browser was taken down by a group of French hackers called Vupen – the same team that cracked Safari at last year's contest.

Vupen's co-founder and research head, Chaouki Bekrar, told ZDNet that the group worked for six weeks to hatch a plan to take on Chrome. They developed two zero-day exploits that were able to take complete control of a fully updated 64-bit Windows 7 machine. "We had to use two vulnerabilities," Bekrar told ZDNet. "The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox."

Bekrar would not share the explicit details of the method Vupen used, nor would he say if either of the exploits used third-party code. "It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation so it really doesn't matter if its third-party code anyway," he said. In 2011, Vupen released a video in which the group cracked Chrome using Flash, but Google said it didn't count because of the use of third-party code.

So why did Vupen decide to go after Chrome first? Aside, of course, from the $1 million bounty Google placed on the browser's head. "We wanted to show that Chrome was not unbreakable. Last year we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year," Bekrar said. He also noted that Chrome is "one of the most secure browsers available."

Ahead of the Pwn2Own, Google announced that it would dole out a total of $1 million in prize money for successful Chrome hacks to entice competitors to target the browser and to use the exploits to help bolster the browser's security. "We have a big learning opportunity when we receive full end-to-end exploits," Google said. "Not only can we fix the bugs, but by studying the vulnerability and [exploiting] techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users."
 
  • Thread starter
  • Staff
  • #7
It runs all week. Looks like 2 bugs have been found. After reading it further, they are offering UP to a million in prizes. Looks like this hack was worth $60k.


Beyond the $60,000 prize--awarded for any attack that exploits only Chrome bugs--contestants can win $40,000 by combining a Chrome bug with another bug, and $20,000 for exploiting a bug in third-party code, such as browser plug-ins, Flash, or Windows. All Pwnium winners also get a Chromebook.
 
  • Thread starter
  • Staff
  • #9
Teenage Hacker Has Scored $120,000 From Google For Discovering Security Issues In Chrome This Year

A teenage hacker who goes by the name of “Pinkie Pie” will receive $60,000 in prize money from Google, by producing the first Chrome vulnerability at the Hack in the Box conference on Wednesday. The exploit was discovered and successfully launched just ahead of the deadline for completion, according to early reports from the event. Before awarding the cash prize, Google had to first verify and confirm the vulnerability – which it just now did, the company tells us via email. More details have also been posted to the Google Chrome blog.
According to the blog post, the hack involves the following exploit:
  • [$60,000][154983][154987] Critical CVE-2011-2358: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.
Google has set aside $2 million in prize money for hackers who find security vulnerabilities in its Chrome web browser, with $60,000 being reserved for those who find “full Chrome exploits.” $50,000 which is offered for partial exploits, and $40,000 for non-Chrome exploits – that is, other bugs found in Flash, Windows, or a driver that are not necessarily specific to Chrome, but could cause issues for users. Google said in February that it would awards those latter prizes because it also served the company’s overall mission of “making the entire web safer.” (The prize amounts have since changed.) Incomplete exploits may also be rewarded, based on judges’ decisions.

This is the second time “Pinkie Pie” has earned the top prize. In March, the hacker also earned $60,000 in the first “Pwnium competition” (as the event is called) by stringing together six vulnerabilities in order to break out of Chrome’s sandbox. According to a report from Infoworld, the hacker was not attending the Hack in the Box event this week, but had a colleague submit his latest entry for him.
 
Back
Top