Become a fan of Slashdot on Facebook


Forgot your password?
Security Canada Chrome Mozilla Safari

Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari ( 39

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.
This discussion has been archived. No new comments can be posted.

Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari

Comments Filter:
  • by Anonymous Coward

    They're hackers.

  • by swb ( 14022 ) on Thursday March 17, 2016 @09:39AM (#51714505)

    I keep waiting for someone to find a vulnerability in VMware that lets a VM keep running without appearing in inventory. Bonus points if it can vMotion itself and have access to the management side to manipulate networks.

    • It's not a vulnerability, but you can hide it completely from displayed inventory (vCenter) by taking away access from vpxuser. Or from root on a standalone ESXi instance.

    • I can see a VM playing games with hitting the vCPU hard so DRS rules kick off and bounce the VM around to different physical ESXi boxes, and then using timing techniques, check to see which ESXi box it is sitting on, in order to move to a particular node in a vSphere cluster.

      If a VM can get access to the management interface [1], that would be a game over. From there, it would be a matter of brute forcing users (although 6.0 will lock the account for 120 seconds after ten bad guesses) to get access to crit

      • by Bert64 ( 520050 )

        If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.

  • by kav2k ( 1545689 ) on Thursday March 17, 2016 @09:46AM (#51714537)

    All three links lead to the same article, which seems to be a copy&paste oversight.

    I believe the second link was meant to be [] and the third []

    • by AmiMoJo ( 196126 )

      I seem to recall this year Firefox is not being included in the competition, because it's too easy. Can someone confirm?

      • by Khyber ( 864651 )

        Too easy. In fact, just getting my game running under Firefox exposed at least half a dozen vulnerabilities in the way they handle WebGL and Canvas2D.

        Chrome isn't MUCH better, but at least it can handle WebGL failures gracefully.

  • Pwn2Own is too narrow in the scope. Discovering and disclosing vulnerabilities in browsers is certainly a useful public service, but this isn't anywhere near the most harmful. Where are attacks against web servers, databases, cryptographic protocols, SCADA and so on?
    • by Khyber ( 864651 )

      The browser is one of the most common vectors to compromise a system. Why would you NOT attack it when it's proven to be horrendously weak?

    • Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...

      Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.

      Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.

  • Flash? (Score:5, Funny)

    by Drathos ( 1092 ) on Thursday March 17, 2016 @09:59AM (#51714621)

    I hope the prize for hacking Flash was like 5 bucks..

    Talk about low hanging fruit...

    • by Anonymous Coward

      I'm still in shock that they accepted Flash exploits this year, but not Firefox ones. That's like being upset about the Titanic when there are aliens hovering over every major landmark with their death-canons trained on them.

  • Since when is cracking Flash considered to be some feat of hacking genius? I'd be more interested if someone could make Flash secure without disabling and deleting it completely.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington