Pwn2Own: Hackers Exploit Google Chrome, Apple Safari

  on

Google's Chrome browser was the first to be hacked at the annual Pwn2Own competition held at CanSecWest security conference in Vancouver. The competition, in its fifth year, has garnered lots of attention over the past few weeks, especially after Google disowned the contest, deciding instead to hold a rival competition at the conference titled Pwnium.

Google Chrome has gone untouched in the last two years of the Pwn2Own competition reports Computer World, but it was the first to be hacked after a French team of researchers, Vupen, demonstrated a two-vulnerability attack on the browser as it ran in Windows 7.

Vupen hacked Google Chrome within five minutes of the competition. The feat earned them 32 points from TippingPoint's Zero Day Initiative, a bug-bounty reward program that sponsors the content. 

Apple's Safari browser was the next to fall, according to the Pwn2Own Twitter page, which was live-blogging the event. The Safari exploit was also discovered by Vupen, who made a tremendous statement within the first day of competition. By the end of the day, Vupen lead the contest with 62 points according to an Information Week report

Vupen has become a controversial hacking team because of the way it makes money. The company typically finds exploits and vulnerabilities in software and sells them to government customers. ZDNET reports that Vupen specifically took aim at Chrome in order to send a specific message to the technology world: No software is foolproof if hackers are motivated enough to launch an attack.

Chaouki Bekrar, co-founder and head of research for Vupen, said his team worked about six weeks on finding and writing the exploits.  We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox, he said in a ZDNet interview.

Bekrar did not give many details about the exploits, particularly whether the team had targeted third-party code in the browser.  It was a use-after-free vulnerability in the default installation of Chrome, he said. Our exploit worked against the default installation so it really doesn't matter if it's third-party code anyway.

The Guardian reports that Vupen has come armed with vulnerabilities that will exploit each of the browsers at the show, which include Internet Explorer, Firefox, Chrome and Safari. We wanted to show that Chrome was not unbreakable, Bekrar told ZDNet. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.

Vupen promises to make all of their exploits at Pwn2Own public. Everything VUPEN displays at Pwn2Own was created especially for this competition, said a press representative from the event in an email. With day one finished, Vupen appears to be far ahead of any other team.

Apple's Safari browser is usually the first to fall at Pwn2Own according to The Guardian. Mozilla Firefox and Internet Explorer typically survive a little longer. Since Google Chrome has only recently made it onto the web browsing scene, touting its security model, the Google Chrome browser has garnered lots of attention for its stalwart build.

That, however, comes to an end.

Viva la pwning.

Join the Discussion