Annual Pwn2Own Hackathon Sees Chrome & Safari Hacked on Day 1

Security researchers and white hat hackers have, on the very first day of the annual Pwn2Own hacking contest, exploited unknown vulnerabilities contained within Apple Safari and Google Chrome browsers. Unsurprisingly, Adobe’s Flash Player was also compromised.

Four teams and a solo researcher competed against each other on the first day of the annual Pwn2Own hacking contest. This year’s targets were all popular known programs. They included Safari, running on OS X; Chrome, running on Windows; Microsoft Edge, running on Windows and Flash, also running on Windows.

Six attempts were made. Four were successful. One, partially successful while the other failed.

As reported by Computer World, the 360Vulcan Team from Qihoo 360, a Chinese Internet security company combined a remote code execution vulnerability in Flash player along with a vulnerability in the Windows kernel to achieve system privileges. The prize? A cool $80,000, with $60,000 for the Flash exploit and the bonus for an escalation rendered at system-level.

On the same day, the team then demonstrated a remote code execution attack against Google Chrome, which was also escalated to system. Four vulnerabilities were combined for the exploit, one in Chrome, two in Flash and the other in the Windows kernel. This was considered a ‘partial’ win as the Chrome flaw had been previously reported to Google by a researcher, unbeknownst to the Chinese group. Still, they made $52,500 for the hack with total earnings of $132,500, on the very first day.

South Korean hacker JungHoon Lee, known by his hacker alias “lokihardt”, pulled off a remote code execution attack against the Apple Safari browser on OSX, with an escalation to gain root privileges. Four vulnerabilities were combined to earn him $60,000.

Safari exploits were awarded $40,000 this year, compared to $60,000 for both Chrome and Edge browsers.

Notably, JungHoon Lee was the overall ‘winner’ during last year’s Pwn2Own hacking contest, taking home winnings of $225,000, nearly half the total payout.

The Tencent Security Team Shield, a group of hackers form Chinese internet giant Tencent demonstrated an exploit against Safari to gain root-level code execution. They used two vulnerabilities, put together, one in Safari and the other in privileged access, to earn them $40,000.

Tencent Security Team Sniper, one of three teams from the Chinese company, successfully hacked the Flash Player on Windows that involved privilege escalation to system, earning them $50,000.

Xuanwu Lab, the third Tencent team failed in an attempt to exploit against the Flash Player in the Edge browser.

Altogether, security researchers won $282,500 on the first day and revealed 15 vulnerabilities that were previously unknown. All vulnerabilities will be reported to the affected vendors.

The total prize pool of the hacking contest, sponsored by Hewlett Packard and Trend Micro sees a bounty of $600,000 altogether.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.