A Russian security researcher has earned himself a tidy $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorised code on fully-patched Windows 7 computers.
Sergey Glazunov uncovered a remote code execution vulnerability in Chrome, that could be used by malicious hackers and cybercriminals to install and run code on innocent users' computers, just by them visiting a website.
Glazunov, who is no stranger to reporting bugs in Chrome, won his substantial reward as part of the Pwnium competition run by Google at the CanSecWest conference in downtown Vancouver.
Sundar Pichai, a senior vice-president at Google, wrote on Google+ that his developers were "working fast on a fix" that would be pushed out as an automatic security update to Chrome users.
Google announced last month that they were offering a gobsmacking grand total of $1 million in rewards for those who uncovered security holes in Chrome.
At the time of writing, a hefty $940,000 remains in the Pwnium prize fund.
Follow @gcluley
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
not bad for a white hat hacker it shows google what they have to improve apon in Chrome because I use it and its a good browser to say the least
Why no mention of Vupen, who did it first, in the first 5 minutes of the competition?
It's a worthwhile way to turn otherwise bad ingenuity to good. Back in my 70's CompSci days, one prof promised an automatic B if you could find a bug to gain superuser status on the university timesharing system, and an A if you could then develop effective defensive code to close the loophole. Of course, to get that A, you also had to find the OS source code, protected but on that system, and then understand it enough to develop the patch. I wonder if that'd be worth $60K in today's dollars?
China probably has a similar system.
And the results are showing.
They don't talk about exploits, they just do them and pick up the prizes; and they're worth a whole lot more than a lousy $60K.
Some very good programers do it for the thrill of the chase to find the answer before any other programer bets them to it. The offer of money as a reward just adds to the thrill of the chase. We do what we do because we can. Their are only two kinds of you other that understand 10 others just don't get it. Let the thrill of the chase continue for ever!
I notice Chinese 'hackers' never participate in these events. They don't contribute to the hacking scene. Beijing exploits exploits, they don't help out the rest of the computing world. They help themselves to corporate servers.
I made a much fuller post on this topic, but Mr. Clueley apparently is avoiding the matter, and it hasn't been posted.