Google Bounty: $20K to Hack Chrome at Pwn2Own

Thursday, February 03, 2011



Google has set a twenty-thousand dollar bounty for the first successful hacking exploit of the company's Chrome browser in the Pwn2Own 2011 competition.

Other bounties offered in the annual challenge include $15K awards for successful hacks of the Safari, Internet Explorer and Firefox browsers - three times as much as has been offered in prior competitions.

The competition begins on March 9 at the CanSecWest security conference in Vancouver, British Columbia.

"We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000," said Aaron Portnoy of HP TippingPoint's security research team, sponsors of the Pwn2Own competition.

This is Google's first appearance in the hacker challenge, and the company is the first to offer up a cash award for the successful exploitation of their own product.

According to an article in CIO, the Google Chrome hack requires more prowess than attacks on other browsers because Chrome employs a "sandbox" security protocol.

"The rules for Chrome are slightly different than for the other browsers because it's the only one of the four that uses a "sandbox," an anti-exploit defense. A sandbox isolates system processes, preventing or at least seriously hindering malware from escaping an application -- in this case Chrome -- to wreak havoc on the computer. To exploit a sandboxed program like Chrome, researchers require not one but two vulnerabilities: The first to allow their attack code to escape the sandbox, and a second to exploit a Chrome bug," the CIO article stated.

If two exploits can not be found to compromise the Chrome browser, on the second and third days of the competition researchers may employ a non-Chrome bug - such as a Windows weakness - to complete the hack.

The prize for utilizing a non-Chrome flaw in the Google challenge reduces the prize offered by Google to $10k, but TippingPoint has offered to match that amount.


Possibly Related Articles:
Google Hacking sandboxing Chrome CanSecWest Pwn2Own Bounty
Post Rating I Like this!
Albert Grace Sounds funny, google is the very first to offer upward a money award for your successful exploitation of their own item.
Albert Grace The actual prize with regard to utilizing a non-Chrome flaw within the Google problem reduces the actual prize provided by Google in order to $10k.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.