Chrome falls in first five minutes at Pwn2Own vulnerability contest

Filed Under: Google, Google Chrome, Malware, Vulnerability

ChromeSeparate from Google's own Pwnium competition, which has seen a Russian security researcher net $60,000 by uncovering a security hole in Chrome, other vulnerability hunters have successfully exposed weaknesses in the popular browser.

The series of exploits have brought to an end Chrome's boastful track record of fending off attacks in earlier contests.

Researchers at the French security outfit Vupen told ZDNet that they deliberately targeted Google's browser at this week's Pwn2Own competition at CanSecWest in Vancouver.

"We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year," said VUPEN co-founder and head of research Chaouki Bekrar.

The Pwn2Own organisers announced on Twitter that the team of hackers had circumvented Chrome's security within five minutes of the competition beginning.

Vupen's Bekrar demonstrated the Chrome exploit by visiting a webpage containing the exploit code. Upon reaching the page, the code ran the Windows calculator program (calc.exe) outside of Chrome's sandbox without the user's permission.

Windows Calculator

Of course, a real attack could have done something much nastier - for instance, infecting computers with malicious software.

HP TippingPoint organizes the Pwn2Own competition as part of its Zero Day Initiative bug bounty program, and awarded Vupen 32 points for its achievement against Chrome.

Vupen was also awarded points for other vulnerabilities it demonstrated, including one against Safari. If they are still the top-scoring team on Friday they will receive the top prize of $60,000 for their efforts.

Google, which runs the separate Chrome-specific Pwnium competition, split away from Pwn2Own because of new changes in the Pwn2Own rules that it felt would hamper its ability to access details of successful exploits.

If you know how to exploit Chrome, it seems there are more avenues than ever to be rewarded for your efforts. Just please make sure that you work responsibly with the security community, rather than using such exploits for malicious purposes.

, , , , , ,

You might like

5 Responses to Chrome falls in first five minutes at Pwn2Own vulnerability contest

  1. Max · 937 days ago

    Take that google ;)

  2. Will they be rewarded by Google as well?

  3. Brian · 936 days ago

    I can just about guarantee that the hackers that did that were working on how to do it for a lot longer than 5 minutes! The article headline is kind of misleading, insinuating that someone walked in the door and hacked Chrome in 5 minutes. They probably started working on the hack the day after last year's competition when no one was able to hack it.

  4. bahnstormer_vRS · 936 days ago

    Think I'll stick to Firefox!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.