Teenager cracks Chrome again

Powered by SC Magazine

Full exploit earns teen a cool US$60,000.

Updated: A teenage hacker has launched a successful full exploit against Google Chrome at the HackInTheBox conference in Malaysia.

The exploit, now confirmed by Google’s US headquarters, earned the teenage hacker known as Pinkie Pie the top US$60,000 cash reward during Google’s Pwnium 2 event yesterday afternoon.

Google engineer Chris Evans said the attack targeted  two vulnerabilities. One exploited  the Scalable Vector Graphics function in Chrome's WebKit that led to compromise of the rendering process. The second bug affected the IPC layer to escape the Chrome sandbox.

It took Google only 10 hours to release a patch for the holes.

The company will give away up to a total of US$2 million during the event.

  • $60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
  • $20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. 

It will be the second time Pinkie Pie has scored the lucrative top prize. In March this year he strung together six vulnerabilities to escape the Chrome sandbox during the CanSecWest Pwnium event.

That exploit was done on an updated Windows 7 64bit machine and only required normal user web browsing.

Google dedicates three teams to exploits uncovered during Pwnium and can have a patch ready within 24 hours.

It formed Pwnium after pulling out of the pwn2own competition which did not require entrants to reveal information on their exploits.

Copyright © SC Magazine, Australia

Teenager cracks Chrome again
Top Stories
Photos: Global Switch opens Sydney East data centre
First stage opened, to some fanfare.
ATO releases long-awaited Bitcoin guidance
Everyday investors escape the tax man.
Why the Weather Bureau’s new supercomputer is a 'gamechanger'
IT transformation starts to reap results.
Sign up to receive iTnews email bulletins
Latest Comments
Which is the most prevalent cyber attack method your organisation faces?

   |   View results
Phishing and social engineering
Advanced persistent threats
Unpatched or unsupported software vulnerabilities
Denial of service attacks
Insider threats