Google Chrome hacked for first time at $1m contest
March 9, 2012
Google's browser was hacked within only five minutes as part of an annual security contest, thanks to a team of French hackers and a Russian student.
After avoiding being successfully attacked for three years thanks largely to its sandbox, which locks down executable code to prevent damage, Chrome was hacked at both Pwn2Own and Google's Pwnium.
For the former, Vupen Security's team used a pair of zero-day flaws - one targeting Windows, the other targeting Chrome's sandbox - to hack the browser mere minutes into the start of the contest.
While the hack only took five minutes to execute, Vupen has been developing the attack against Chrome's sandbox for six weeks, Chaouki Bekrar, Vupen co-founder and head of research, told ZDNet.
Meanwhile, a Russian student won $60,000 for hacking Google’s Chrome browser, as part of the internet giant’s ‘bug bounty’ program to beef up its security.
The Russian university student, Sergey Glazunov, managed to bypass Chrome’s sandbox and exploit two vulnerabilities in the extension sub-system. He could then execute any code of his choosing on the underlying machine.
Glazunov hacked into a fully patched Windows 7 machine using a remote code execution exploit in Google Chrome as part of Google's Pwnium hacker contest at CanSecWest.
Until now, there are no known reports of a zero-day attack ever hitting Chrome, and at the previous three years' contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software.
Google noted that the exploit would be fixed via an update to the browser which will be pushed out automatically.
Pwnium is an alternative to the traditional Pwn2Own contest, set up specifically to find exploits in Google’s Chrome browser, as opposed to Pwn2Own which includes Internet Explorer and Firefox.
Speaking to ZDNet, Justin Schuh, who is part of Google's Chrome security team, said the attack was "very impressive" and that the exploit could have done "anything" on the infected machine, as he executed the code with full permission of the user.
The Google's Pwnium hacker contest is taking place at the CanSecWest security conference in Vancouver, Canada.
Google will give prizes of US$60,000, US$40,000 and US$20,000 out of a total US$1m prize fund depending on how participants manage to exploit Chrome on a Windows 7 PC.
In a blog post Google wrote, “We have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing and sandboxing. This enables us to better protect our users.”