In March this year we wrote about Pwnium, Google’s “hack the Chrome browser for money” competition run at the CanSecWest conference.
Two winners took home $60,000 each after crafting devious, multi-stage attacks against the Mountain View browser.
If you fancy a prize, you’ve got just under two months to get your exploit ducks in a row – not a terribly long time, if the complexity of the previous winning entries is anything to go by.
There are a few changes from March.
The prize money goes up from $1m to $2m – perhaps a bit of a media stunt by Google, since last time only 12% of the prize money was actually claimed.
The prize categories are adjusted from $20k-$40k-$60k for low-medium-full exploits to $40k-$50k-$60k. As Google explains:
[W]e've compressed the reward levels closer together for Pwnium 2. This is in response to feedback, and reflects that any local account compromise is very serious. We're happy to make the web safer by any means - even rewarding vulnerabilities outside of our immediate control.
The final prize change is that instead of presenting every winner with a Chromebook, Google will present the writer of the best exploit with the Acer laptop used as the standard test platform during the competition.
(That’s doesn’t seem like much of an endorsement for Google’s Chromebook devices – dedicated netbook-type computers that aren’t an awful lot more than a walled-off browser lashed to Google’s cloud apps. Can’t even give the jolly things away.)
What I’ve referred to as low, by the way, means an exploit that relies entirely on vulnerabilities outside Chrome itself; medium means that some non-Chrome bugs were combined with a Chrome flaw; and full means that only bugs in Chrome were exploited. You need to achieve what Google calls “Win7 local OS user account persistence” for your attack to qualify as an exploit.
Local OS means you’re running as a regular application, so you’ve escaped the limitations of running inside the browser; persistence means you’ll keep running even after the browser exits and the computer is rebooted; and user account means you don’t need to get all the way to administrator privilege.
Loosely speaking, that means your exploit would be perfect for a drive-by malware attack that would leave the computer infected inconspicuously and indefinitely.
Your exploit, of course, needs to be what is known as zero-day – Chrome and the surrounding OS will be fully patched when the competition opens.
Note to Mac users. Malware with admin privilege can, indeed, do a lot more damage than user-level malware. But even malware running with regular user privileges can be perfectly harmful, on OS X as well as on Windows. The notion that “malware which doesn’t prompt for the admin password isn’t really malware” is still prevalent amongst Mac fans, and it’s a myth. Software which runs as you has the power to do anything you could do yourself, including downloading and running yet more malware; reading and writing files; uploading data to web servers; posting to social networks; and emailing your very own ill-tempered letter of resignation to the Chairman of the Board.