Chrome Hacked In 5 Minutes At Pwn2Own

Skuto writes "After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google's browser. They will win at least 60k USD out of Google's prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

Obviously they were just waiting to start

[msobkow]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

Still, kudos on what has to be almost world-record-time penetration of a "secure" system.

Re:Obviously they were just waiting to start

[SpanglerIsAGod]

I think that's how most of the successful hacks have been going in this contest. Someone finds a few vulnerabilities, hordes them until the contest, and then goes public with them.

I'm not sure that I like that, but I guess it gets some vulnerabilities fixed.

Re:Obviously they were just waiting to start

[GameboyRMH]

I'm not gonna lie, with my modest 3rd-world income I'd probably do the same thing for $60k. Giving out these massive prizes at annual competitions could turn out to be a double-edged sword.

Re:Obviously they were just waiting to start

[kcbnac]

Then perhaps they need to start doing them more often than yearly? Do them quarterly?

Re:Obviously they were just waiting to start

[Zero__Kelvin]

Are you mad man? Didn't you hear!!??? It exposes bugs!

Re:Obviously they were just waiting to start

[Anonymous Coward]

I wonder if it would be worthwhile for a committer to intentionally introduce a bug (passing code review, of course), then split the bounty with a buddy who enters the competition?

Obligatory

[cmburns69]

"I'm gonna write myself a new minivan this afternoon!"

http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]

Also:

http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx [thedailywtf.com]

Re:

[Anonymous Coward]

$60k is considerably more than my "1st-world" annual income. I imagine you'd have to be rich or a little goofy not to do that, if the opportunity presents itself.

Re:

[MareLooke]

Which seems to be the same thing in today's world. Sadly.

Re:Obviously they were just waiting to start

[Gavagai80]

Ah, so you're the guy this [cracked.com] is about. Stop whining and get back to your luxuries while the rest of us make a tiny fraction of your salary.

Re:

[Goaway]

What's not to like about that? It's the entire point of the contest!

Re:Obviously they were just waiting to start

[Anonymous Coward]

I think all of the Pwn2Own exploits are discovered beforehand and then shown at this event. They could report it and get sued... or they could hold on to it, hope its not patched out or publicized and grab money and swag.

Re:

[RivenAleem]

I don't see how anyone can complain. Either way the vulnerability isn't shared with the public. The only downside I see is that between one security resercher finding the vulnerability, and the demonstration of it at the contest, there's a chance of another less noble person finding the same vulnerability and exploiting it for nefarious reasons.

Re:

[Anonymous Coward]

Every major sports team comes into the contest with a scouting report and a plan to win.

These guys did their scouting and executed their plan.

Well done !

Re:Obviously they were just waiting to start

[93 Escort Wagon]

I think it's pretty clear they had their exploits worked out and ready to go for some time, and were just waiting for the contest to start to unleash them.

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

Re:

[Anonymous Coward]

It's pretty obvious how the tone of the first handful of up modded posts differs from when IE or Safari are first down.

Re:Obviously they were just waiting to start

[Anonymous Coward]

That's because when other browsers are cracked first it shows they are insecure, while when it's Chrome it is only an experimental error.

Re:Obviously they were just waiting to start

[Anonymous Coward]

I think it's pretty clear this has always been the case in these pwn2own contests, whether the browser is Safari, Internet Explorer, or Chrome. This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

And is that such a bad thing? For the white hats, the money's just a bonus.

But $1M is pretty cheap to increase the odds that those who might otherwise be tempted to join the black hats can still gain public recognition, still make some money, and because their hat can remain white, they don't even have to worry about prosecution.

In exchange for the coin, developers get responsible disclosure of lots of bugs (that might have otherwise remained under wraps, or might have been discovered first by black hats) in a controlled environment.

Win-win situation in my books.

Re:Obviously they were just waiting to start

[eulernet]

This latest crack just makes it a little more obvious that it's a question of motivation more than anything else - and money is a powerful motivator, probably more so than notoriety (in sufficient quantities, anyway).

No, it just proves that when you put enough money, professional crackers are attracted.

There is an article where Charlie Miller (winner of past contests) explains why he won't compete:
https://www.zdnet.com/blog/security/charlie-miller-skipping-pwn2own-as-new-rules-change-hacking-game/10554 [zdnet.com]

On the contrary, I think that money attracts professionals, and discourages all other people, who may have interesting hacks but know that they cannot compete against professionals.
In short, it encourages people who came to win, and discourages people who came to participate.

Re:

[Runaway1956]

Well, I'm sure that your imagination is insanely powerful.

Re:

[Anonymous Coward]

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security.

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

I mean I could understand it if there ever once was and now you want to have that again. But there never was. There isn't. There's not going to be. There is only hard work and diligence and learning from experience. Stop acting so shocked you dumb fucks! Seriously.

Re:Obviously they were just waiting to start

[haruchai]

You've clearly never read a press release from a software company

Re:

[Anonymous Coward]

There is not and never has been a "silver bullet" for anything much less security. Stop acting surprised.

Not true that there are no silver bullets for anything. There are silver bullets for killing werewolves.

Re:Obviously they were just waiting to start

[GigaplexNZ]

There is not and never has been a "silver bullet" for anything much less security.

Except, of course, for an actual bullet made of silver.

Re:

[phoenix_rizzen]

And a can of Coors Light, obviously.

Re:

[ByOhTek]

Yeah, but it's amazing the number of self proclaimed tech experts I've known who think there are.

"I use a Mac, and have worked in the industry for 40 years, I know it's impossible for me to get a virus."

"I use a Mac and Chrome, I'll never get infected with anything."

"I use Linux, my system is impenetrable."

etc. etc.

I haven't had a malware problem on windows in about 13 years. Some of which I used IE (earlier times), some of which I used Firefox. This is a better record than any of those yutzes. The most imp

Re:Obviously they were just waiting to start

[TheRaven64]

I use a Mac, but the air of condescension surrounding my computer makes malware slink off and attack someone else's computer.

Re:

[atlasdropperofworlds]

You made me lol hard.

I wish all mac owners were like you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Awarding this the most apologetic post of the day

[Anonymous Coward]

saying "I know anecdotes aren't date" followed by "but insert anecdote here" doesn't excuse you from confirmation bias. There is no evidence presented by you that your practises wouldn't keep you just as safe with Opera or Gecko-based browsers.

Re:

[westyvw]

I agree with the post that I want to know what the expoloit was.
However I must say that you sure work hard to try and keep your computer safe from the internetz. Is windows land really that bad that you have to go to all that effort just to feel free to browse the web?

Re:

[account_deleted]

Comment removed based on user account deletion

Won't help

[dutchwhizzman]

The whole concept of PWNing is that someone comes up with a way to circumvent the security built into that system. Sure, multiple layers like you describe will hopefully catch the intruder at some other point, where they try to do something that triggers an alarm. However, there is nothing you can do against zero-day vulnerabilities, other than multilayer your security and set up proper alerting.

People smart enough to find a zero day in a common and well tested browser, tend to be smart enough to write "p

Re:

[rrohbeck]

What, you can't disassemble and grok 60-some MB in 5 minutes? Wimp.

Re:

[wvmarle]

Of course. Finding exploits takes time and dedication (and possibly luck: looking at the correct piece of the code). Not likely a new exploit is discovered within the competition itself.

Re:

[Goaway]

What's "funny" about five minutes? The point of the competition is that you show up with your exploit, and run it. Five minutes is a pretty long time to do that in.

Re:

[V for Vendetta]

The point of the competition is that you show up with your exploit, and run it.

This article [zdnet.com] linked in another post above disagrees:

Miller, a Pwn2Own regular who makes headlines every year for his work breaking into fully patched Mac OS X machines, says he is skipping the contest this year because of the new rules that require on-the-spot writing of exploits.

Re:

[Goaway]

Well, that would explain why it took so long, if he had to type it out from memory.

Re:

[Harik]

If only there were a -1 WRONG button.

That's for Pwn2Own, which google is also not particpating in. Pwnium (what this is about) allows pre-written exploits.

Re:

[TheRaven64]

And, another question: Which sandbox did it exploit? Chromium has a chroot-based sandbox, an SELinux sandbox, a Capsicum sandbox, and a Windows sandbox and a Mac sandbox. Was the compromise something specific to one of these implementations, or was it in the platform-agnostic code?

5 minutes?

[Anonymous Coward]

I guess this means they went in knowing exactly what they were going to do. This means that it has been known for a while which means there could be many more people who know and are exploiting this.

Re:5 minutes?

[v1]

Nobody shows up at one of these contests and cracks their knuckles and starts looking for holes. They always show up with a premade bag of polished and practiced zero-days.

Funny though how they get so much media attention every time this happens OMG safari got owned in six minutes! Chrome got hacked in 5 minutes! They must beg gods! no, not really.

There's really no reason they couldn't be doing this once a month really. I'd wager that the winners this round had 4-6 different exploits in their bag of tricks, and are strategically submitting them.

It would be in google's better interest to hold such contests monthly with smaller prizes. It'd just be paying for bugs, but the way they're doing it here is just moving a lot slower than it really should.

Re:

[Anonymous Coward]

All the browsers except for IE pay for bug bounties...

It is probably more the fame of winning the event...

Re:5 minutes?

[artor3]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

Re:

[westyvw]

A full Chrome exploit will net you $60,000 from Google. They now have 3 pay ranges and offer substantialy more then they used to. I do think they upped this price after they pulled out of pwn2own in February.

Re:

[Krneki]

That depends how much they pay. Google, for example, pays the cute but relatively small sum of $3133.70 for the most severe bugs. These Vupen guys could have reported their bugs and pocketed at most ~$6k (maybe less, if Google failed to recognize the severity of the bugs), or they could do as they did, keep the bugs to themselves until Pwn2Own came around, and earn ten times that amount.

I doubt they care so much about the fame. The extra $54k, on the other hand...

I fear that the black market pays more for this 0-day exploits.

Re:

[St.Creed]

I never knew that until a friend tried to deal with them on changes to the Android API's (he works for a VERY large company and they needed extra abilities). They didn't even deign to reply.

Nokia, Microsoft and Apple not only provided helpful assistance but actively invested to get his solution on their platform. Big difference. Google is going to shoot itself in the foot with that "If you don't work here, you're stupid and can't be taken serious" attitude.

Re:5 minutes?

[__aaltlg1547]

And that brings up an even more troubling thought. Are the pwn2own incentives creating a perverse incentive to conceal vulnerabilities?

I think so. If this is how Google will find and fix its flaws, exploiters are basically safe between events.

If you want flaws and exploits identified and fixed fast, pay on a first-to identify basis and never announce what the exploits found were. Just quietly fix them as fast as you can and distribute patches regularly.

Re:

[Brian Feldman]

You don't understand software. Fixing things quietly is just as good as announcing them for a project that develops in the open.

You always could google pwn2own...

[Anonymous Coward]

...now it seems you can also pwn2own google!

Re:

[Torodung]

You forgot "In Soviet Russia..."

Re:

[allo]

Soviet Russia forgot him!

Why even mention the time?

[Anonymous Coward]

This isn't Swordfish. They had plenty of time to prepare their attack.

It's impressive they exploited Chrome. But the preparation took more than 5 minutes.

Re:Why even mention the time?

[Brad1138]

You mean they weren't getting BJ's as they hacked Chrome? What kind of contest is this anyway?

Re:Why even mention the time?

[binarylarry]

It's not called pwn2groan!

Re:

[geminidomino]

That comment, on the other hand, would have won if it was.

I cringed a little, too.

Re:

[Billlagr]

pwn2blown! In under 5 minutes no less

Re:

[mikael_j]

Well, every year when Safari was the first browser to be targeted and thus also the first to be broken the fandroids and the anti-Apple crowds would scream on and on about how this proved Safari was the shittiest browser in existence and by extension Apple was a horrible horrible company.

I guess it's Google's turn this year.

And no, I don't use Safari, I just find it interesting that when previous stories like this have been about Safari the first dozen or so posts weren't about how the reporting was biased.

Re:

[makomk]

Except in this case Google Chrome's being targeted because Google themselves are offering particularly generous payments to hack it, whereas Safari was a favourite target in prior years because according to the contestants it was the easiest to find and exploit holes in.

still more cost effective

[Bananasdoom]

Handing out 2mill of prize money is still more cost effective that standard R&D, you get more professionals testing it for the chance of wining some prize money than Google could ever employ and the people they chose not to employ.

Re:

[__aaltlg1547]

No it's not. It's Ann incentive to create and CONCEAL cracks while drawing attention to Ans glorifying crackers.

Re:

[Ambiguous Coward]

I'm dying to know what (assumedly mobile) OS is autocorrecting you An this way. :)

Re:

[westyvw]

Shirley the next name I am going to use in my next kids book will be Ann Incentive. I can see her leading the way.

Re:still more cost effective

[gweihir]

Unfortunately, wrong. First, you get only as much of their vulnerability stock that they need to maximize their profit. Then, you do only get what was easiest to find for them. A real security review looks at architecture, design, coding style and other things as well, which are completely absent at these competitions.

Basically, this is a show with very little actual security benefits.

no benefits?

[dutchwhizzman]

sixty thousand clones of George Washington disagree with you on that.

Conflated competitions?

[Anonymous Coward]

The posting says that one of the teams in Pwn2Own will win at least USD 60K from Google. But Google aren't putting up any Pwn2Own prize money. Last I heard Google are running their own competition with different rules. The participants in Pwn2Own may well not enter the Google competition because their exploit (if it escapes the sandbox) will be worth much more than USD 60K. My understanding is that the Pwn2Own entrants are not required to reveal their sandbox exploits before receiving the prize money because sandbox exploits are worth much more than the prize money that is available while Google will require full disclosure before handing over their money.

Re:Conflated competitions?

[Anonymous Coward]

The Pwn2Own twitter account actually talks quite a bit about this.

Additionally, it appears that Vupen has already announced they won't be participating in Google's competition.

Re:

[deroby]

So basically they simply announced that they have found a way to work around chrome's security system; won a competition doing so (including fame & prize money) bringing them lots of media coverage (read: free advertising). And now they simply have to wait for some 'clients' to come up with more than 60k for its source, I'm sure their address is on the pown2own website.

Seriously, they might just as well put it on ebay if you think about it, opening bid of 59.999$.

How does this go

[eyenot]

I haven't used Chrome for months. It was behaving errratically and made me nervous during a yime I was looking for a secure browser out of immediate necessity. I eventually managed to use an old version of firefox portable that settled things. I forgot pwn2own was even happening by the time I noticed Chrome zipped in my archives folder and deleted it as useless just two days ago.

But this stuff has me wondering: suppose this goes on and Chrome eventually has all of the exploits worked out of it. A theoretica

Re:

[Anonymous Coward]

All code libraries etc makes assumptions about what sorts of data they will handle. The problem is that these browsers (and all software larger than Hello World) is so complicate that it is impossible for a developer to anticipate every interaction and use every api exactly as it was intended in all possible cases. In essence in order for there to be no exploits introduced when a new feature is added, that feature and every possible interaction of that feature with every other feature must be vetted.
Sayin

I use Chromium

[cpu6502]

It doesn't have any of those annoying Google spying/tracing code built-in.

Re:

[cpu6502]

LINK

http://www.tucows.com/preview/610631 [tucows.com]

Re:

[cpu6502]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml [softpedia.com]

Re:

[Calos]

Yeah, that truth, that's not why people were modding your post. I think you know that.

And people are probably modding it troll because most of us haven't seen any legitimate proof of these claims. Most of us see a fair amount to the contrary.

By all means, if you know something and can show it or have some links with substantiated evidence - please post them, so people can make the choice to switch if they desire.

Otherwise, all you're doing is raising the noise floor. And moderators are seeking to lower it

Re:

[cpu6502]

If you haven't seen the reports of Google tracking users, even to the point of hacking Apple Safari and Microsoft Explorer's "private" modes to track them, then you have not been paying attention. It's common knowledge now among tech professionals.

Re:

[Calos]

If it's such common knowledge, surely it will be easy for you to provide a credible link. You could have provided several in the time it took you to write a snarky, arrogant reply. But you didn't.

No, I will not accept your appeal to your ethos and authority as a valid argument.

Because the truth is - I don't ask because I'm wholly ignorant on the subject. I actually pay pretty close attention to this kind of thing. I know there are privacy concerns with Chrome, but I also know that the things that were conc

Re:

[causality]

Modded Troll??? Why? I was stating a truth (I don't use Google Chrome; I use the open source chromium).

Chromium LINK - http://www.softpedia.com/get/PORTABLE-SOFTWARE/Internet/Browsers/Portable-Google-Chrome-Chromium.shtml [softpedia.com]

The one time the Slashdot groupthink is actually against Open Source code and privacy and software freedom ... is when it makes a statement against Google.

Since this particular statement cuts to the core of how Google makes its money, namely through acquiring marketing data from mostly hapless and unsuspecting users who have no idea how much information they are "contributing", and wouldn't if they did, it's too fundamental of a comment to be tolerated by the fanboys.

So you're being punished by the mo

Re:

[TheVelvetFlamebait]

I state that, because a good 90% of the fools around here don't know a DAMNED THING about computing other than @ user level

That's probably because it's news for nerds, not news for computer engineers. The days when there was a natural bias on the internet towards computer geeks is over. Nerds on the internet come in all flavours now.

Re:

[TheInternetGuy]

Using very strict judgement, uncharacteristic to Slashdot, the parent may be off topic, but Score:0, Troll? I guess mods woke up on the wrong side of the bed today.

Re:

[Anonymous Coward]

Oh come on, we all know Google is perfect and can do no wrong and anyone that says anything negative against them is clearly a paid shill.

Re:

[Daniel Phillips]

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Re:

[Daniel Phillips]

Googlers should know that expressing disagreement via mod points is not Googly. Or is it now?

Oh right, I forgot, the "don't be evil" already left the building.

Google's PHD Coders???

[BoRegardless]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Re:Google's PHD Coders???

[Daniel Phillips]

Tell me that Google couldn't do a better job than that.
5 minutes? What sort of coding knowledge does Google have anyway.

Not as much as the combined wisdom of the community, a fact that permeates slowly through some of the thicker skulls in the land of Oz.

Re:

[gweihir]

The time is completely irrelevant. These are pre-packaged exploits that run as fast as possible.

Re:

[ais523]

Well, it's probably an indication of whether the exploit is deterministic or probabilistic (probabilistic exploits will need more tries on average before they work). Also, if it's a buffer overflow, the size of the buffer it's overflowing (if it needs a lot of data to overflow, the browser will take a while to download it).

Not a good indicator of how difficult the exploit was to find, though.

Re:

[gweihir]

Indeed. A very simple to find one with a large random component could run forever, while a really hard to find one may simply change one flag by buffer overflow in a microsecond.

Re:

[Tim C]

They didn't hack/crack Chrome in 5 minutes, they turned up with a pre-tested bag of tricks and took 5 minutes to run them.

Yo Dawg I heard you liked sandboxes

[flappinbooger]

So I run chrome inside of a sandbox so I can be sandboxed while Chrome's sandbox is being hacked.

Nice salary

[Daniel Phillips]

That's $12 million/hour, more than Larry and Sergey combined :-)

Re:

[viperidaenz]

I get paid $26 million/hour. If I only look at the 1 second it takes for my pay to appear in my account every fortnight.

Nice Linking

[rudy_wayne]

5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs [twitter.com] to demonstrate a total break of Google's browser.

Thanks for linking to a complete useless, pointless and content-free Twitter post.

Re:

[Voyager529]

Thanks for linking to a complete useless, pointless and content-free Twitter post.

I thought redundancy was picked up by the lameness filter.

details on the exploit?

[xandroid]

Are there any details on the exploit beyond "Code execution and sandbox escape (medium integrity process resulted)" [twitter.com]?

A Market for Bugs?

[BenJCarter]

What if Google set up a market protocol to buy Chrome bugs? $1k each, with strict disclosure and delivery terms. We might just deplete the entire Chinese exploit arsenal in 3 months... Or at least boost the knowledge-base of Chrome using CS students everywhere.

No shit, Sherlock

[smooth wombat]

It also illustrates that Chrome's much lauded sandboxing is not a silver bullet for browser security."

When I made a comment a few weeks back that the fact that Chrome could be installed without admin privileges is a huge security hole, I was told by the "experts" on here that because Chrome was sandboxed, my comment was completely without merit.

Repeat after me: there is no such thing as a secure application. Given enough time, someone, somewhere, will find a way to circumvent any security you may

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TWX]

Essentially. Not broke per se, just not multibillionaires.

Re:

[anubi]

I just saw some stuff on youtube that, well for me, was quite scary.

http://www.youtube.com/watch?v=fxri6DDYAdM [youtube.com]

It was about dangerous sites on the internet. Youtube has lots of links to other similar postings.

A question for fellow slashdotters... how much truth is in this? Or are they playing games with me to scare the hell out of me?

Comments invited.

Re:

[ledow]

But breaking something in a way that no-one has ever done before is a lot HARDER than either.