Google announces Pwnium 2, raises prize money for Chrome hack to $2m

Filed Under: Google, Vulnerability

In March this year we wrote about Pwnium, Google's "hack the Chrome browser for money" competition run at the CanSecWest conference.

Two winners took home $60,000 each after crafting devious, multi-stage attacks against the Mountain View browser.

The competition is back, with Pwnium 2 set to take place at the 2012 Hack in the Box conference in Kuala Lumpur, Malaysia.

If you fancy a prize, you've got just under two months to get your exploit ducks in a row - not a terribly long time, if the complexity of the previous winning entries is anything to go by.

There are a few changes from March.

The prize money goes up from $1m to $2m - perhaps a bit of a media stunt by Google, since last time only 12% of the prize money was actually claimed.

The prize categories are adjusted from $20k-$40k-$60k for low-medium-full exploits to $40k-$50k-$60k. As Google explains:

[W]e've compressed the reward levels closer together for Pwnium 2. This is in response to feedback, and reflects that any local account compromise is very serious. We're happy to make the web safer by any means - even rewarding vulnerabilities outside of our immediate control.

The final prize change is that instead of presenting every winner with a Chromebook, Google will present the writer of the best exploit with the Acer laptop used as the standard test platform during the competition.

(That's doesn't seem like much of an endorsement for Google's Chromebook devices - dedicated netbook-type computers that aren't an awful lot more than a walled-off browser lashed to Google's cloud apps. Can't even give the jolly things away.)

What I've referred to as low, by the way, means an exploit that relies entirely on vulnerabilities outside Chrome itself; medium means that some non-Chrome bugs were combined with a Chrome flaw; and full means that only bugs in Chrome were exploited. You need to achieve what Google calls "Win7 local OS user account persistence" for your attack to qualify as an exploit.

Local OS means you're running as a regular application, so you've escaped the limitations of running inside the browser; persistence means you'll keep running even after the browser exits and the computer is rebooted; and user account means you don't need to get all the way to administrator privilege.

Loosely speaking, that means your exploit would be perfect for a drive-by malware attack that would leave the computer infected inconspicuously and indefinitely.

Your exploit, of course, needs to be what is known as zero-day - Chrome and the surrounding OS will be fully patched when the competition opens.

Note to Mac users. Malware with admin privilege can, indeed, do a lot more damage than user-level malware. But even malware running with regular user privileges can be perfectly harmful, on OS X as well as on Windows. The notion that "malware which doesn't prompt for the admin password isn't really malware" is still prevalent amongst Mac fans, and it's a myth. Software which runs as you has the power to do anything you could do yourself, including downloading and running yet more malware; reading and writing files; uploading data to web servers; posting to social networks; and emailing your very own ill-tempered letter of resignation to the Chairman of the Board.


, , , , , , , ,

You might like

5 Responses to Google announces Pwnium 2, raises prize money for Chrome hack to $2m

  1. David · 1146 days ago

    Why you don't use normal English, which is easier to understand? Try to make your language more user friendly.

    • Paul Ducklin · 1142 days ago

      I lapsed into techie-speak because my goal was to make the article friendly to the sort of technical person who might be interested in a "hack the browser" contest.

      OTOH, I didn't intend to be _entirely_ incomprehensible to everyone perhaps you might give me some examples of things that you think I ought to have handled more clearly. (Bear in mind, given my first remark above, that it wasn't my goal to be completely geek-word-free.)

  2. CLM · 1146 days ago

    nice article.

    btw, $2m < $2M. check your units. :)

    • Andrew Ludgate · 1145 days ago

      SI units for currency abbreviations... I can just imagine the conversion errors when translating into $x' ....

  3. Sootie · 1142 days ago

    Bonus points to any contestant who can make shockwave flash run on chrome without it crashing....

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog