Teenager cracks Chrome again

Powered by SC Magazine

Full exploit earns teen a cool US$60,000.

Updated: A teenage hacker has launched a successful full exploit against Google Chrome at the HackInTheBox conference in Malaysia.

The exploit, now confirmed by Google’s US headquarters, earned the teenage hacker known as Pinkie Pie the top US$60,000 cash reward during Google’s Pwnium 2 event yesterday afternoon.

Google engineer Chris Evans said the attack targeted  two vulnerabilities. One exploited  the Scalable Vector Graphics function in Chrome's WebKit that led to compromise of the rendering process. The second bug affected the IPC layer to escape the Chrome sandbox.

It took Google only 10 hours to release a patch for the holes.

The company will give away up to a total of US$2 million during the event.

  • $60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
  • $20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. 

It will be the second time Pinkie Pie has scored the lucrative top prize. In March this year he strung together six vulnerabilities to escape the Chrome sandbox during the CanSecWest Pwnium event.

That exploit was done on an updated Windows 7 64bit machine and only required normal user web browsing.

Google dedicates three teams to exploits uncovered during Pwnium and can have a patch ready within 24 hours.

It formed Pwnium after pulling out of the pwn2own competition which did not require entrants to reveal information on their exploits.

Copyright © SC Magazine, Australia

Teenager cracks Chrome again
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx