Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Posted by Zonk on from the and-the-winner-is dept.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

3 of 156 comments (clear)

  1. Konqueror by Anonymous Coward · · Score: 5, Interesting

    Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

  2. Admin user or regular user? by goombah99 · · Score: 4, Interesting

    I wish they would say if the user that safari was running under was admin or regular. If it was admin then this is even less of a hack than it already is. Also I wonder if they disabled the safari feature to automatically "open safe files after downloading". That option puts a lot of trust in other programs not to have holes. indeed it's not really safe at all. Only stupid people or people that don't do stupid things leave it on.

    Bottom line no remote hacks.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  3. no such thing as a white hat... by Animaether · · Score: 5, Interesting
    ...is there?

    I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?

    "'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York"
    "Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000."


    Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.