Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Hacked In 5 Minutes At Pwn2Own

Posted by samzenpus on from the what-took-so-long? dept.

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

15 of 169 comments (clear)

  1. Obviously they were just waiting to start by msobkow · · Score: 5, Interesting

    I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

    Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Obviously they were just waiting to start by SpanglerIsAGod · · Score: 5, Informative

      I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

      I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

      --
      War doesn't show who is right - just who is left.
    2. Re:Obviously they were just waiting to start by Anonymous Coward · · Score: 5, Insightful

      I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

    3. Re:Obviously they were just waiting to start by 93+Escort+Wagon · · Score: 5, Insightful

      I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

      I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

      --
      #DeleteChrome
    4. Re:Obviously they were just waiting to start by Anonymous Coward · · Score: 5, Funny

      That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

    5. Re:Obviously they were just waiting to start by Anonymous Coward · · Score: 5, Insightful

      I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

      And is that such a bad thing? For the white hats, the money's just a bonus.

      But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

      In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

      Win-win situation in my books.

    6. Re:Obviously they were just waiting to start by GameboyRMH · · Score: 5, Interesting

      I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    7. Re:Obviously they were just waiting to start by Anonymous Coward · · Score: 5, Interesting

      I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

  2. Why even mention the time? by Anonymous Coward · · Score: 5, Insightful

    This isn't Swordfish. They had plenty of time to prepare their attack.

    It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

    1. Re:Why even mention the time? by binarylarry · · Score: 5, Funny

      It's not called pwn2groan!

      --
      Mod me down, my New Earth Global Warmingist friends!
  3. still more cost effective by Bananasdoom · · Score: 5, Insightful

    Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

  4. Re:5 minutes? by v1 · · Score: 5, Insightful

    Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

    Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

    There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

    It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

    --
    I work for the Department of Redundancy Department.
  5. Conflated competitions? by Anonymous Coward · · Score: 5, Interesting

    The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

    1. Re:Conflated competitions? by Anonymous Coward · · Score: 5, Informative

      The Pwn2Own twitter account actually talks quite a bit about this.

      Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

  6. Nice Linking by rudy_wayne · · Score: 5, Funny

    5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser.

    Thanks for linking to a complete useless, pointless and content-free Twitter post.