In an annual security competition, Google offered $60,000 to the person who could successfully hack into Chrome (under very specific parameters), and on the first day, someone won — a first for the heretofore impenetrable browser.
It was inevitable someone, someday would be able to find a “Full Chrome” exploit (using only bugs in Chrome itself, vs. Flash, Windows or a driver), but in the three years its makers offered Chrome to industrious hackers to try to find bugs it could fix, it was like Troy. That is, until Russian university student Sergey Glazunov — a longtime submitter of bugs to the Chromium security team who has already won thousands from Google — found its Trojan horse and executed a “Full Chrome” exploit.
ZDNet reported that Glazunov found a way to bypass Chrome’s “sandbox” – a restriction that normally blocks hackers from being able to take over a user’s device.
Sundar Pichai, a senior VP of Chrome and apps, posted the win in Google+ and promptly reassured users: ”We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”
Glazunov won the $60,000 grand prize on the first day (March 7) of the three-day CanSecWest security conference in Vancouver, as part of the Pwnium competition that offers a big pot of $1 million that goes to reward competitors for exploits. Those who are successful submitting “Partial Chrome exploits” (using at least one bug in Chrome itself, plus other bugs) will receive $40,000.
Even those who successfully submit bugs outside of Chrome will win a $20,000 “Consolation reward, Flash / Windows / other.” So deep are its pockets that Google rationalizes, “Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.”
The original plan called for Google to be a sponsor to the Pwn2Own competition, as it was last year. But, because “contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors,” the company decided instead to run “this alternative Chrome-specific reward program.” Google explained its decision as a safety issue, in requiring full exploits to be submitted, and the team will in turn immediately send non-Chrome bugs to appropriate vendors.
Just prior to the hackathon, Google pushed out a Chrome update with 14 patches and rewarded the finders of each patched flaw $1,000 each.
Who needs a hacking scam to make money when Google invites — dares, even — such attempts and is willing to give cash rewards for doing so?