Hacked: Hacking Finance

Annual Pwn2Own Hackathon Sees Chrome & Safari Hacked on Day 1

Introduction

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


LATEST POSTS

Alleged FBI Hacker Lauri Love Ordered to US Extradition by UK Home Secretary 15th November, 2016

The Largest Breach of 2016: 412 Million FriendFinder Accounts Exposed 14th November, 2016

Cybersecurity

Annual Pwn2Own Hackathon Sees Chrome & Safari Hacked on Day 1

Posted on .

Security researchers and white hat hackers have, on the very first day of the annual Pwn2Own hacking contest, exploited unknown vulnerabilities contained within Apple Safari and Google Chrome browsers. Unsurprisingly, Adobe’s Flash Player was also compromised.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Four teams and a solo researcher competed against each other on the first day of the annual Pwn2Own hacking contest. This year’s targets were all popular known programs. They included Safari, running on OS X; Chrome, running on Windows; Microsoft Edge, running on Windows and Flash, also running on Windows.

Six attempts were made. Four were successful. One, partially successful while the other failed.

As reported by Computer World, the 360Vulcan Team from Qihoo 360, a Chinese Internet security company combined a remote code execution vulnerability in Flash player along with a vulnerability in the Windows kernel to achieve system privileges. The prize? A cool $80,000, with $60,000 for the Flash exploit and the bonus for an escalation rendered at system-level.

On the same day, the team then demonstrated a remote code execution attack against Google Chrome, which was also escalated to system. Four vulnerabilities were combined for the exploit, one in Chrome, two in Flash and the other in the Windows kernel. This was considered a ‘partial’ win as the Chrome flaw had been previously reported to Google by a researcher, unbeknownst to the Chinese group. Still, they made $52,500 for the hack with total earnings of $132,500, on the very first day.

South Korean hacker JungHoon Lee, known by his hacker alias “lokihardt”, pulled off a remote code execution attack against the Apple Safari browser on OSX, with an escalation to gain root privileges. Four vulnerabilities were combined to earn him $60,000.

Safari exploits were awarded $40,000 this year, compared to $60,000 for both Chrome and Edge browsers.

Notably, JungHoon Lee was the overall ‘winner’ during last year’s Pwn2Own hacking contest, taking home winnings of $225,000, nearly half the total payout.

The Tencent Security Team Shield, a group of hackers form Chinese internet giant Tencent demonstrated an exploit against Safari to gain root-level code execution. They used two vulnerabilities, put together, one in Safari and the other in privileged access, to earn them $40,000.

Tencent Security Team Sniper, one of three teams from the Chinese company, successfully hacked the Flash Player on Windows that involved privilege escalation to system, earning them $50,000.

Xuanwu Lab, the third Tencent team failed in an attempt to exploit against the Flash Player in the Edge browser.

Altogether, security researchers won $282,500 on the first day and revealed 15 vulnerabilities that were previously unknown. All vulnerabilities will be reported to the affected vendors.

The total prize pool of the hacking contest, sponsored by Hewlett Packard and Trend Micro sees a bounty of $600,000 altogether.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

DON'T MISS OUT

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
Navigation
A new variant of the dreaded Android-based Stagefright bug has…