Forgot your password?
typodupeerror
Chrome Google Security Software The Almighty Buck IT

Hack Chrome, Win $20,000 79

Posted by timothy
from the don't-quit-my-day-job dept.
CWmike writes "Google will pay $20,000 to the first to exploit its Chrome browser at this year's Pwn2Own hacking contest at CanSecWest in Vancouver, BC, on March 9. At this year's Pwn2Own, researchers will pit exploits against machines running Windows 7 or Mac OS X as they try to bring down Microsoft's IE, Mozilla's Firefox, Apple's Safari and Chrome. The first researchers to hack IE, Firefox and Safari will receive $15,000 and the machine running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards. 'We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000,' said Aaron Portnoy, the manager of the sponsor, HP TippingPoint's security research team, which set the contest's rules Wednesday in a blog post written by Portnoy."
This discussion has been archived. No new comments can be posted.

Hack Chrome, Win $20,000

Comments Filter:
  • by MrEricSir (398214) on Thursday February 03, 2011 @04:31PM (#35095148) Homepage

    The list of prizes includes "... the machine running the browser."

    Who would be dumb enough to use a computer they won from a hacking contest?

    • by Rinnon (1474161)
      That's a kind of silly question. It's not like a door that has been broken open and won't close. They'll probably take it home, install Linux on it, maybe change the MAC address on the NIC, and it's basically a new machine.
      • by MrEricSir (398214)

        Not if the hardware was compromised.

        • by nzac (1822298)

          I know browser hackers are not necessarily quite as skilled as (open)bsd hackers (but have success much more often) but i would think that the effort to make a hardware exploit that is undetectable to a winner would be more effort than its worth (it would have to survive a motherboard inspection and behave like the regular component almost all of the time) when it is likely that most hacking would be done from a desktop.

          Or if you think hacking the browser did the damage i think they win when they can execut

        • That puts it roughly at the same level of safety as any laptop you buy. If the hardware was comprimised, The government, the chip manufacturers, the QC people, the government could be requiring a hidden back door, any number of possible vectors are a higher possibility then some insane uber hacker planting a hardware level attack through a network connection in the plain view of several other hackers, that somehow finds it worth his time to plant a bug intended for the winner, but is not worth his time to j
        • by dudpixel (1429789)

          who says you have to connect it to the internet?

      • I'd take it. I don't mind non-virgin machines.

        random question:
          - I'm running the non-google Chromium right now. Any reason to upgrade to Chrome?

      • Why would you need to change the mac address?

        Its like people think that someone else knowing your NIC's MAC is a security issue; you cant even discover a MAC address once you go through a router.

      • by tehcyder (746570)

        That's a kind of silly question. It's not like a door that has been broken open and won't close. They'll probably take it home, install Linux on it, maybe change the MAC address on the NIC, and it's basically a new machine.

        They'll install Linux in a door?!

        Now I'm confused too.

    • by TaoPhoenix (980487) <TaoPhoenix@yahoo.com> on Thursday February 03, 2011 @04:37PM (#35095256) Journal

      "I'll take Things to do with faulty Sandy Bridge machines for 200 Alex".

    • by nzac (1822298)

      Why?? You would have a rather good understanding of what you just did to the computer so you can fix it.

      Or if you are worried about being traced as a hacker the hard drive would immediately be formatted and os reinstalled and if you are especially paranoid or do illegal hacking change the MAC address.

    • by eviljolly (411836)

      From what I understand, the people receiving the machine would be the ones hacking it in the first place. I don't think there would be a problem.

    • Let's start with the fact that as the WINNER of the contest, they were the ones who hacked it before we get into the other absurdities of that statement.

      Oh, and remember that this is only a contest, so they're just trying to get through the security, not actually do anything damaging once they're in.

    • by YoshiDan (1834392)
      The details of the exploit used in the competition aren't released until after the vendor has released a patch to fix it...
  • While I applaud their efforts, the truth of it is that there's always another exploit to fix.
    • Plus, its sort of a bad deal for the contestants, isn't it? Expand many man-hours of effort groping for a prize that probably won't materialize. No one is guaranteed to 'win,' but Google is guaranteed to get lots of free labour! Just a thought before you enter into something like this...
  • by John Hasler (414242) on Thursday February 03, 2011 @04:38PM (#35095272) Homepage

    Shouldn't the prize be a free copy of Chrome?

    Oh. Wait...

    • Thanks for showing up such fabulous information. I have bookmarked you and will remain in line with your new posts. I like this post, keep writing and give informative post...! escort delhi [hotmodelindelhi.com]
  • Chrome stands tall (Score:4, Insightful)

    by Randyll (1914386) <aneNO@SPAMsci.fi> on Thursday February 03, 2011 @04:49PM (#35095416)
    Chrome has never been hacked, which is not surprising, because the contest requires the contestant to exploit a Chrome bug and escape the sandbox while doing so. This is a far greater challenge than merely exploiting a browser bug that lets you do whatever, because if you find an exploit in Chrome the odds are high you will run into the sandbox [google.com] and be stopped outright.
  • Whenever I see "un" attached to an adjective, I'm inclined to believe it to be false. Unsinkable ship my foot.
    • by Sigma 7 (266129)

      Whenever I see "un" attached to an adjective, I'm inclined to believe it to be false.

      Even unstable [wikipedia.org]?

      (Affected players did have a workaround, but it wasn't on the official support pages.)

  • Good to hear (Score:2, Interesting)

    by amn108 (1231606)

    It's good to hear that we finally can link the pwnage and the ownage together. It's only fair, after all (ref. owning the machine you just pwned)

  • by kellyb9 (954229) on Thursday February 03, 2011 @05:15PM (#35095812)
    I hacked it to make Bing come up with the same results as Google... Please send me a check or a money order.
  • I'm curious, how does this contest work? You sign up for a 30 minute spot. Do they allow the security researcher to sit at the system to compromise and operate it or does the security researcher direct a user to visit some url with a potential exploit? Part of the contest is to exploit the browser so I am guessing that the browser needs someone operating it and fetching well crafted html etc. from some where.

    The phone stuff looks interesting as they are looking for drive by exploits as well as browser ex

    • by kent_eh (543303)
      No, the attacks come over the network (in the case of the wireless devices, over the air).

      There's pretty much no challenge attacking a system you have physical access to.
  • The rules aren't clear... can I use a gun?
  • by fizzup (788545) on Thursday February 03, 2011 @08:02PM (#35098470)

    What I get from this is that Google is so certain of Chrome's security, they're willing to trust $20k on that security. The lesson you can take from this is not to do anything with the Chrome browser that would put you at risk of losing more than $20k. After all, the authors won't risk more than that. Of course, other authors are even less certain of their browser's security...

  • Why no love for Linux? I personally think it would be much more interesting to see if they could hack Chrome (or Firefox) on a Linux based OS (like Ubuntu). Although I suspect it would actually be easier because less testing is done on those platforms (or at least less development).
  • This is pure marketing. If they want to prove to me it's secure, ask for a public code review and reward those who find clear problems, and compile from that reworked code.

    A "pass" from a hacking contest only shows that at a specific point in time, a specific set of people with specific skills were either unable to break a specific version of the software or unwilling to tell the organisers what they found so they could exploit that later for much more profit.

    Any occurrence of the word "specific" indicates

    • by n0-0p (325773)

      This is pure marketing. If they want to prove to me it's secure, ask for a public code review and reward those who find clear problems, and compile from that reworked code.

      The codebase (minus PDF, Flash, and branding) is open source. Google pays out anywhere from $500 to $3113.70 to anyone who reports Chrome/Chromium security vulnerabilities to them. And if you look at the release notes on Chrome and Safari it's obvious that Google has a full-time team searching for and fixing security issues in both Chrome and WebKit. I'm not sure what else you want them to do, because they're already going well beyond anything you suggested.

      • by cheros (223479)

        Maybe stop marketing gimmicks? There are two direct problems with what they do here:

        1 - it gives others the impression that hack contests are the way to assure security. This is the same as corporate execs relying on audit to assure the security of an IT platform instead of making sure they have solid fundamentals in place so that no retro-fitting is required.

        2 - it takes away the focus from the fact that they do indeed do the preparing work as well. They could make more work of the whole process instead

  • They'd have to pay me USD 20,000 just to get me to *use* Chrome again, never mind hack it. Software that secretly creates 3 separate scheduled tasks to reinstall its update program if it's deleted is indistinguishable from malware.

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...