Skip the navigation

Researcher blows $15K by reporting bug to Google

Reported an Android Market flaw that would have won him top-dollar at Pwn2Own

March 8, 2011 12:41 PM ET

Computerworld - A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.

"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."

Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337.

But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.

Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest -- the first to hack each of the four smartphones receives $15,000 -- and because Oberheide had a working exploit, he was almost guaranteed the money.

"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."

Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.

According to Oberheide, the Android Market -- Google's official app store -- contained an XSS vulnerability in the e-mart's Web site. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.

"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."

An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.

"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!