Skip to content.

Google Chrome hacked for first time at $1m contest

Google's browser was hacked within only five minutes as part of an annual security contest, thanks to a team of French hackers and a Russian student.

chrome%20hack.jpg

After avoiding being successfully attacked for three years thanks largely to its sandbox, which locks down executable code to prevent damage, Chrome was hacked at both Pwn2Own and Google's Pwnium.

For the former, Vupen Security's team used a pair of zero-day flaws - one targeting Windows, the other targeting Chrome's sandbox - to hack the browser mere minutes into the start of the contest.

While the hack only took five minutes to execute, Vupen has been developing the attack against Chrome's sandbox for six weeks, Chaouki Bekrar, Vupen co-founder and head of research, told ZDNet.

Meanwhile, a Russian student won $60,000 for hacking Google’s Chrome browser, as part of the internet giant’s ‘bug bounty’ program to beef up its security.

The Russian university student, Sergey Glazunov, managed to bypass Chrome’s sandbox and exploit two vulnerabilities in the extension sub-system. He could then execute any code of his choosing on the underlying machine.

Glazunov hacked into a fully patched Windows 7 machine using a remote code execution exploit in Google Chrome as part of Google's Pwnium hacker contest at CanSecWest.

Until now, there are no known reports of a zero-day attack ever hitting Chrome, and at the previous three years' contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software.

Google noted that the exploit would be fixed via an update to the browser which will be pushed out automatically.

Pwnium is an alternative to the traditional Pwn2Own contest, set up specifically to find exploits in Google’s Chrome browser, as opposed to Pwn2Own which includes Internet Explorer and Firefox.

Speaking to ZDNet, Justin Schuh, who is part of Google's Chrome security team, said the attack was "very impressive" and that the exploit could have done "anything" on the infected machine, as he executed the code with full permission of the user.

The Google's Pwnium hacker contest is taking place at the CanSecWest security conference in Vancouver, Canada.

Google will give prizes of US$60,000, US$40,000 and US$20,000 out of a total US$1m prize fund depending on how participants manage to exploit Chrome on a Windows 7 PC.

In a blog post Google wrote, “We have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing and sandboxing. This enables us to better protect our users.”

Follow Netimperative on Twitter

Comment on this article





Verification (needed to reduce spam):

Subscribe to Netimperative Newsletters

Email address:


Daily
Weekly
Search Marketing
Events
Publishing & Media

Send as:
Text
HTML

Alternatively, click here to unsubscribe

Digital Training Academy training tips
Digital Training Academy
Essential skills for today's marketers: boost your team's results with customised advanced digital marketing coaching from world class trainers at the Academy.
Mail our academy managers Ask our tutors for more
Full details here...
 

Digital marketing audits - improving your ROI
Digital Training Academy

Getting the best ROI from your websites, emails and online ads? Sure?

Our digital marketing audits review your current and planned campaigns to find ways of cutting budgets without cutting impacts.

Mail our academy managers Ask for more
Full details here...

About Netimperative | About Digital Strategy | Terms of use | Privacy | Cookies

© Copyright 2014 Digital Strategy Consulting Ltd | Netimperative.com is part of the Digital Strategy Consulting group | UK company number 4342602 | The Digital Hub, 8 Macklin Street, Covent Garden, London, WC2B 5NF