Pwn2Own, Pwnium pay researchers $210K for browser bugs
Last day of hacking events shake loose bugs in Firefox, Chrome
Computerworld - Researchers last Friday unveiled zero-day vulnerabilities in Google's Chrome and Mozilla's Firefox during the final day of two hacking challenges that awarded $210,000 to contestants.
The Chrome vulnerabilities were submitted by a teenage researcher identified as "PinkiePie," who was only the second to participate in the Google-sponsored "Pwnium" event.
After verifying that PinkiePie's work met Pwnium's requirement for a "full Chrome exploit" -- meaning that the two bugs were in the browser's own code and included a "sandbox escape" exploit -- Google awarded him $60,000.
It was the second such payout during the three-day event. On Wednesday, Google paid $60,000 to Sergey Glazunov, a frequent recipient of bounties paid by Google throughout the year.
In announcing PinkiePie's win, Jason Kersey, a Chrome program manager, called the researchers' exploits "works of art." Kersey also promised that Google would publish technical write-ups of the two Pwnium submissions.
On Saturday, Google patched Chrome to fix PinkiePie's vulnerabilities, the second time in three days that it updated the browser within 24 hours of obtaining bugs.
Also on Friday, HP TippingPoint's Zero Day Initiative (ZDI) closed out its "Pwn2Own" hacking contest, which like Pwnium ran March 7-9 at the CanSecWest security conference in Vancouver, British Columbia.
On the last day of Pwn2Own, a two-man team -- Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox zero-day to take the contest's $30,000 second-place prize.
Iozzo and Pinckaers, who also cranked out four other exploits of previously-patched vulnerabilities during Pwn2Own's on-site component, are no strangers to the contest. Last year, they made up two-thirds of a team that won $15,000 by hacking a BlackBerry smartphone.
A team from French security company Vupen won Pwn2Own's first-place prize of $60,000 by hacking Chrome and Microsoft's Internet Explorer earlier in the week.
ZDI did not award Pwn2Own's third-place prize of $15,000 because only two teams participated in the contest.
All told, the two events paid out $210,000 in prize money, a record at CanSecWest.
The dueling challenges were not on the original agenda for CanSecWest: A week before the conference opened, Google withdrew its Pwn2Own sponsorship over objections to that contest's practice of not requiring researchers to divulge "sandbox-escape" exploits.
Google then announced its own Pwnium, and pledged to pay up to $1 million for hacks that exploited Chrome zero-day vulnerabilities.
The code execution vulnerabilities used by the Vupen and Iozzo-Pinckaers teams during Pwn2Own will be reported to vendors today, ZDI said on Twitter last Friday.
The only browser not targeted at Pwn2Own was Apple's Safari, which went untouched for the first time in the contest's six-year history.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- The business impact of BYOA: Five major challenges and how your enterprise can solve them This E-Book reviews five major challenges of BYOA with key subject matter experts and outlines how businesses can solve them.
- BYOA: Embracing the Opportunity, Controlling the Risk This whitepaper explores the shift from BYOD to BYOA (bring-your-own-application) and how IT departments today can address this new change in the IT...
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!