Google Chrome finally hacked at Pwn2Own twice

first_imgEvery year, the CanSecWest Applied Security Conference pits some of the best white hat hackers in the world against the top web browsers. And every year since its arrival at the show, they’ve completely ignored Google Chrome. This year, however, someone finally hacked Chrome and took home $60,000 in the process.Why did it take so long for someone to step up? Because Chrome’s built-in sandbox makes it much more difficult to exploit than other browsers. For a hack at Pwn2Own to be considered successful a participant not only has to find and exploit a vulnerability in Chrome, but also find a way to escape the sandbox and attack the underlying operating system.First to break Google’s browser was Sergey Glazunov, who’s name you might recognize if you keep tabs on Google’s Chrome bounty payments. He’s earned thousands of dollars over the years spotting holes in Chrome code, but the $60,000 he’s taking home from CanSecWest is by far his biggest payday from Google. Glazunov hacked Chrome during the Google-sponsored Pwnium contest, which they set up to entice someone — anyone — to have a go at Chrome.Vupen Security also had success this year, with CEO Chaouki Bekrar saying that they “wanted to show that even Chrome is not unbreakable.” Bekrar’s team used a specific vulnerable component of Chrome in their hack. He declined to offer any specifics, saying only that it’s part of the default Chrome installation. Many in the security community are pointing fingers at the native Flash plug-in and Chrome’s SQLite profile. This isn’t the first time Vupen has struck, of course. They blogged about escaping the sandbox last May.Whatever tricks were used against Chrome, the end result is that Google’s browser is about to become even more difficult to compromise. Once Mountain View patches these holes, it could very well be another year before anyone bothers to attack.More at Ars Technicalast_img

Leave a Reply

Your email address will not be published. Required fields are marked *