Researcher blows $15K by reporting bug to Google
Reported an Android Market flaw that would have won him top-dollar at Pwn2Own
Computerworld - A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.
"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."
Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337.
But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.
Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest -- the first to hack each of the four smartphones receives $15,000 -- and because Oberheide had a working exploit, he was almost guaranteed the money.
"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."
Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.
According to Oberheide, the Android Market -- Google's official app store -- contained an XSS vulnerability in the e-mart's Web site. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.
"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."
An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.
"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!