Hack Chrome, Win $20,000

CWmike writes "Google will pay $20,000 to the first to exploit its Chrome browser at this year's Pwn2Own hacking contest at CanSecWest in Vancouver, BC, on March 9. At this year's Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoft's IE, Mozilla's Firefox, Apple's Safari and Chrome. The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards. 'We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,' said Aaron Portnoy, the manager of the sponsor, HP TippingPoint's security research team, which set the contest's rules Wednesday in a blog post written by Portnoy."

The machine is a prize?

[MrEricSir]

The list of prizes includes "... the machine running the browser."

Who would be dumb enough to use a computer they won from a hacking contest?

Re:The machine is a prize?

[Rinnon]

That's a kind of silly question. It's not like a door that has been broken open and won't close. They'll probably take it home, install Linux on it, maybe change the MAC address on the NIC, and it's basically a new machine.

Re:The machine is a prize?

[TaoPhoenix]

"I'll take Things to do with faulty Sandy Bridge machines for 200 Alex".

Re:The machine is a prize?

[MrEricSir]

Not if the hardware was compromised.

Re:The machine is a prize?

[Riceballsan]

That puts it roughly at the same level of safety as any laptop you buy. If the hardware was comprimised, The government, the chip manufacturers, the QC people, the government could be requiring a hidden back door, any number of possible vectors are a higher possibility then some insane uber hacker planting a hardware level attack through a network connection in the plain view of several other hackers, that somehow finds it worth his time to plant a bug intended for the winner, but is not worth his time to just use his knowlege to get $20,000 and win the laptop himself.

Hack Chrome, Win $20,000

[John+Hasler]

Shouldn't the prize be a free copy of Chrome?

Oh. Wait...

Chrome stands tall

[Randyll]

Chrome has never been hacked, which is not surprising, because the contest requires the contestant to exploit a Chrome bug and escape the sandbox while doing so. This is a far greater challenge than merely exploiting a browser bug that lets you do whatever, because if you find an exploit in Chrome the odds are high you will run into the sandbox and be stopped outright.

Re:Chrome stands tall

Yeah, people sometimes forget about this when talking about sandboxes. The sandbox might prevent malware from escaping to the OS or to another tab process, but it WON'T prevent it from masquerading as the tab session, and snooping on whatever you're doing in that tab. Even if things like form input/submission were moved to the broker, the malware could just rewrite the DOM, since parsing is typically done with least permissions. It's just a short-lived malware infection, existing only in memory.

Microsoft Copied... HA!

[kellyb9]

I hacked it to make Bing come up with the same results as Google... Please send me a check or a money order.

Don't trust Chrome with more than $20k

[fizzup]

What I get from this is that Google is so certain of Chrome's security, they're willing to trust $20k on that security. The lesson you can take from this is not to do anything with the Chrome browser that would put you at risk of losing more than $20k. After all, the authors won't risk more than that. Of course, other authors are even less certain of their browser's security...