Google to pay $40,000 "consolation prize" to Pinkie Pie for not-quite breaking into Chrome OS

Filed Under: Featured, Google, Google Chrome, Vulnerability

Pinkie Pie is the name of the renowned Chrome hacker who won Google's Pwnium competition in 2012.

He unleashed a seven-step exploit chain against Google's Chrome browser, giving him silent remote code execution, also known as a drive-by-install.

Well, Pinkie Pie was back at this year's Pwnium, taking a tilt at some of the Pi million dollars Google had put into the prize bucket.

This year's contest wasn't quite the same as in 2012: you weren't attacking the Chrome browser on a general-purpose operating system, but taking on the closed ecosystem of Chrome OS.

Chrome OS is Google's take on the walled garden approach favoured by Apple for its iOS devices: a locked-down version of Linux, with the Chrome browser layered on top for access to web applications and cloud services.

The main purpose of Chrome OS is control, and whether you like that approach or not, it can (and in Google's case apparently does) lead to tighter security.

With fewer configuration knobs to twiddle and buttons to press, and with a security setup that's baked in by Google, there ought to be less to go wrong, and fewer places for escape, either by accident or design.

And escaping by design evaded Pinky Pie this year, which meant that he missed out on any of the official prizes.

Google was offering $110,000 for pwnership (remote code execution with minimal user interaction), and $150,000 for persistent pwnership (also known as "a malware infection that survives between logins or reboots", or an APT).

However, Google just announced that it would dip into the $π,000,000 dollar prize fund to pay Mr Pie a a $40,000 consolation prize.

As Google's Chris Evans, who goes by the improbable-sounding job title of Chief Reward Officer (does his payment plan go up as he gives more away, do you think?), pointed out:

In particular, we’d like to thank Pinkie Pie for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures and keep users safe.

If you followed the Pwnium/PWN2OWN competitions last year, you'll no doubt be aware that Google withdrew from PWN2OWN in 2012 because its conditions for winners allowed them to collect their prizes by merely demonstrating their exploits, without any requirement that the exploit be disclosed to the affected software vendor.

Google, quite rightly in my opinion, decided that this would fall foul of the company's own responsible disclosure policy, which encourages researchers not to go public with exploitable hacks unless they've given the hacked product a fair chance to patch the holes first.

→ Proponents of the publish-and-be-done-with-it school, also known as full disclosure, suggest, perhaps a trifle disingenuously, that an aggressive approach is the only way to get the attention of vendors. Even though this puts the good guys and the bad guys on an equal footing, argue the full-disclosurists, that's better than risking a situation where the bad guys might be a step ahead.

So it's good to see Google taking the extra step here (and reaching for the chequebook, to boot) in order to encourage researchers to disclose even partial exploits.

This avoids any criticism that Google's contest might have worked against truly responsible disclosure by rewarding only those attacks which were already fully formed and as-yet unknown.

The value of early and partial disclosure is reinforced by Evans's observation (and since he's paying out 40 kilodollars, he's entitled to gloat a little on this point) that most of the bugs exposed by Pinky Pie's otherwise-incomplete work have already been fixed.

That means that any cybercrooks who were working along Pinky Pie's lines towards a zero-day exploit now have to start over.

Which is nice!

, , , , , , , , , ,

You might like

5 Responses to Google to pay $40,000 "consolation prize" to Pinkie Pie for not-quite breaking into Chrome OS

  1. Donncha O'Cearbhaill · 934 days ago

    persistent pwnership (also known as "a malware infection that survives between logins or reboots", or an APT)

    This in obviously incorrect. APT refers to the persistence of the threat actors in compromising a target and not the persistence of a particular piece of malware.The words APT being thrown around out of context as usual.

    • Paul Ducklin · 933 days ago

      "Persistence is in the eye of the beholder."

      The word "persistence" in respect of malware has been used for years, unexceptionally, with the loose meaning of "lasts until tomorrow, and the next day, and the next; can't be removed with a mere reboot or logout."

      So malware with persistence is quite unexceptionally an "advanced persistent threat."

      In fact, I think I have only ever heard the term APT applied to the specific part of the attack that is actually on the victim's computer, never to the crooks that are behind the threat.

      (Can someone tell me when "cybercrooks", "hackers", "crackers", call them what you will, turned into "actors", and why? I have reluctantly come to tolerate, if only barely to accept, the term...but when I hear "state-sponsored actor" the first thing that springs to mind is someone who has a grant to study at the Royal Academy of Dramatic Art.)

  2. PinkiePie Is A Lie · 933 days ago

    I bet PinkiePie is Google, for sure.

  3. xargos32 · 933 days ago

    Although a picture of the character the hacker got his name from is correct, Pinkie Pie is spelled incorrectly as "Pinky Pie" three times in the article. While this may not be an error related to the technical side of things, it would be nice to see proofreading catch things like this.

  4. roy jones jr · 929 days ago

    Why don't they make contests like this annually for all major browsers? And add to the contest on what the response from each company is.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog