Chrome Hacked In 5 Minutes At Pwn2Own

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

Obviously they were just waiting to start

[msobkow]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start

[GameboyRMH]

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Conflated competitions?

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.