Glazunov gets Google's $60,000 bounty for Chrome hack
Security researcher Sergey Glazunov has netted $60,000 under a new Pwnium hacking contest set up by Google for its Chrome web browser. The attack was conducted at the CanSecWest security conference in Vancouver that ends today.
Google (NASDAQ: GOOG) has set aside $1 million for researchers who can find and exploit security holes in Chrome.
The $60,000 prize is given only to hackers who obtain "Chrome/Windows 7 local OS user account persistence using only bugs in Chrome itself." Lower prize amounts of $40,000 and $20,000 are given to those who target Chrome using bugs inherent to the browser and those who find issues without using bugs in Chrome, respectively.
In a ZDNet report, Justin Schuh of the Chrome security team described Glazunov's exploit as "very impressive" and added that an attacker armed with it could have done anything on the infected machine. Noting that a deep understanding of how Chrome works is required, Schuh praised Glazunov's work: "This is not a trivial thing to do. It's a very difficult and that's why we're paying $60,000."
The Pwnium competition was set up less than two weeks ago after a disagreement between Google and Pwn2Own organizer TippingPoint over the new rules introduced by the latter.
An explanation posted on the official Chromium blog here elaborates on the turn from Google's traditional sponsorship of the well-known Pwn2Own contest. "Originally, our plan was to sponsor as part of this year's Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome." The blog ended by promising to send non-Chrome bugs to the appropriate vendor "immediately."
For its part, TippingPoint defended its move by saying that its Pwn2Own contest "has never required that contestants give up ... sandbox escapes." The organizer also noted, "If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome."
In a nutshell, Google is more interested in paying for exploits that successfully circumvent its vaulted sandbox so that it can make it even better. On the other hand, TippingPoint thinks that forcing participants to reveal this aspect of an exploit will disincentivize security researchers from participating. This is because an exploitable sandbox flaw can be difficult to find and can theoretically be leveraged by researchers as a springboard of other exploits.
For now, Google says that the team is working fast on a fix to be pushed out as soon as possible via the browser's automatic update mechanism.