Google Chrome hack earns security researcher $60,000

Filed Under: Google, Google Chrome, Vulnerability

ChromeA Russian security researcher has earned himself a tidy $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorised code on fully-patched Windows 7 computers.

Sergey Glazunov uncovered a remote code execution vulnerability in Chrome, that could be used by malicious hackers and cybercriminals to install and run code on innocent users' computers, just by them visiting a website.

Glazunov, who is no stranger to reporting bugs in Chrome, won his substantial reward as part of the Pwnium competition run by Google at the CanSecWest conference in downtown Vancouver.

Sergey Glazunov won $60,000

Sundar Pichai, a senior vice-president at Google, wrote on Google+ that his developers were "working fast on a fix" that would be pushed out as an automatic security update to Chrome users.

Google congratulates Sergey Glazunov

Google announced last month that they were offering a gobsmacking grand total of $1 million in rewards for those who uncovered security holes in Chrome.

At the time of writing, a hefty $940,000 remains in the Pwnium prize fund.

, , , ,

You might like

6 Responses to Google Chrome hack earns security researcher $60,000

  1. Robert Gracie · 960 days ago

    not bad for a white hat hacker it shows google what they have to improve apon in Chrome because I use it and its a good browser to say the least

  2. Ben · 960 days ago

    Why no mention of Vupen, who did it first, in the first 5 minutes of the competition?

  3. Guest · 960 days ago

    It's a worthwhile way to turn otherwise bad ingenuity to good. Back in my 70's CompSci days, one prof promised an automatic B if you could find a bug to gain superuser status on the university timesharing system, and an A if you could then develop effective defensive code to close the loophole. Of course, to get that A, you also had to find the OS source code, protected but on that system, and then understand it enough to develop the patch. I wonder if that'd be worth $60K in today's dollars?

    • danR · 960 days ago

      China probably has a similar system.

      And the results are showing.

      They don't talk about exploits, they just do them and pick up the prizes; and they're worth a whole lot more than a lousy $60K.

  4. John P. Hohensee · 960 days ago

    Some very good programers do it for the thrill of the chase to find the answer before any other programer bets them to it. The offer of money as a reward just adds to the thrill of the chase. We do what we do because we can. Their are only two kinds of you other that understand 10 others just don't get it. Let the thrill of the chase continue for ever!

  5. danR · 960 days ago

    I notice Chinese 'hackers' never participate in these events. They don't contribute to the hacking scene. Beijing exploits exploits, they don't help out the rest of the computing world. They help themselves to corporate servers.

    I made a much fuller post on this topic, but Mr. Clueley apparently is avoiding the matter, and it hasn't been posted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.