msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

03 Mar 12 Google Offers $1 Million in Hacker Bounties for Exploits Against Chrome


It may be hard out there for a pimp, but it just got a little bit more lucrative for a hacker.

Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.

Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.

“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.

The exploits must work against Windows 7 machines running the Chrome browser.

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.

Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on the Internet Explorer and Safari browsers instead.

Article source: http://www.wired.com/threatlevel/2012/02/google-1-million-dollar-hack-contest/

Tags: , , ,

29 Feb 12 Google bets million bucks its Chrome Web browser can't be busted


Google bets big that its Chrome Web browser can't be busted.

Google bets big that its Chrome Web browser can’t be busted.

Google is putting its money where its Chrome Web browser is. In a Chromium blog posting Chris Evans and Justin Schuh, two members of the Chrome security team, announced that Google will be offering ‘multiple rewards per category, up to the $1 million limit, on a first-come-first served basis’ for demonstrated security breaches of Chrome on Windows 7 .

That may be the safer bet than it sounds. Chrome, while not bullet-proof, is widely regarded as the more secure of the Web browsers. In CanSecWest Pwn2Own hacker contests, Chrome has never been broken.

In Google’s security challenge, which is not connected with 2012’s Pwn2Own competition, Google is looking for “full end-to-end exploits.” That way, “not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”

So, “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.” Here are the rule for the Chrome exploit competition:

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

All winners will also receive a Chromebook.

We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.

Gentleman, sharpen your hacking skills and get to work now!

Google will be running this content on its own at the CanSecWest security conference in Vancouver on March 7th to 9th, the Pwn2Own venue, but independently of the Pwn2Own contest. Google is doing this because .”We discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive — not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.”

In a twitter note from the Pwn2Own contest organizer and sponsor, HP TippingPoint’s, Zero Day Initiative (ZDI) “To clarify, if a team demonstrates 0day at#Pwn2Own2012, but doesn’t end up as a winner, the vuln is still theirs and will not be reported.

The split between Google and SPI doesn’t appear to be hostile. Aaron Portnoy, Manager of the Security Research Team at TippingPoint Technologies who the man responsible for reverse engineering vulnerability submissions to ZDI, tweeted, “Nice to see over that after 5 years of the@Pwn2Own_Contest vendors are finally stepping up and offering big $ for vulns.

Still, while there has been a partings of the way, hackers will now have both Google’s million dollars to compete with and Pwn2Own’s own one-hundred-thousand plus worth of prizes to strive for. May the best hacker win!

Related Stories:

CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

Review: Chrome 17, faster than ever, more secure than ever.

Google working on strong password generator for Chrome

How do you use your browser’s ‘porn mode’?

Google Chrome gets another security makeover

Article source: http://www.zdnet.com/blog/networking/google-bets-million-bucks-its-chrome-web-browser-cant-be-busted/2069

Tags: , , ,

29 Feb 12 Google Offers $1 Million in Hacker Bounties for Exploits Against Chrome


It may be hard out there for a pimp, but it just got a little bit more lucrative for a hacker.

Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.

Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.

“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.

The exploits must work against Windows 7 machines running the Chrome browser.

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.

Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on Internet Explorer and Safari.

Article source: http://www.wired.com/threatlevel/2012/02/google-1-million-dollar-hack-contest/

Tags: , , ,