Separate from Google’s own Pwnium competition, which has seen a Russian security researcher net $60,000 by uncovering a security hole in Chrome, other vulnerability hunters have successfully exposed weaknesses in the popular browser.
The series of exploits have brought to an end Chrome’s boastful track record of fending off attacks in earlier contests.
Researchers at the French security outfit Vupen told ZDNet that they deliberately targeted Google’s browser at this week’s Pwn2Own competition at CanSecWest in Vancouver.
“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” said VUPEN co-founder and head of research Chaouki Bekrar.
The Pwn2Own organisers announced on Twitter that the team of hackers had circumvented Chrome’s security within five minutes of the competition beginning.
Pwn2Own (@Pwn2Own_Contest) March 07, 2012
Vupen’s Bekrar demonstrated the Chrome exploit by visiting a webpage containing the exploit code. Upon reaching the page, the code ran the Windows calculator program (calc.exe) outside of Chrome’s sandbox without the user’s permission.
Of course, a real attack could have done something much nastier – for instance, infecting computers with malicious software.
HP TippingPoint organizes the Pwn2Own competition as part of its Zero Day Initiative bug bounty program, and awarded Vupen 32 points for its achievement against Chrome.
Vupen was also awarded points for other vulnerabilities it demonstrated, including one against Safari. If they are still the top-scoring team on Friday they will receive the top prize of $60,000 for their efforts.
Google, which runs the separate Chrome-specific Pwnium competition, split away from Pwn2Own because of new changes in the Pwn2Own rules that it felt would hamper its ability to access details of successful exploits.
If you know how to exploit Chrome, it seems there are more avenues than ever to be rewarded for your efforts. Just please make sure that you work responsibly with the security community, rather than using such exploits for malicious purposes.Follow @gcluley