Chrome hacked in five minutes

Chrome gets hacked in super quick time, showing no browser is safe.

Chrome

Google's browser was hacked within only five minutes as part of annual security contest.

Pwn2Own is an annual browser hacking contest held at CanSecWest in Vancouver. This year, following a disagreement with contest organisers Tipping Point over vulnerability disclosures, Google held its own competition at the same conference, offering a total of $1 million in potential prize money.

After avoiding being successfully attacked for three years thanks largely to its sandbox, which locks down executable code to prevent damage, Chrome was hacked at both Pwn2Own and Google's Pwnium.

For the former, Vupen Security's team used a pair of zero-day flaws - one targeting Windows, the other targeting Chrome's sandbox - to hack the browser mere minutes into the start of the contest.

We wanted to show that even Chrome is not unbreakable

While the hack only took five minutes to execute, Vupen has been developing the attack against Chrome's sandbox for six weeks, Bekrar told ZDNet.

"We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, according to Ars Technica. "We wanted to show that even Chrome is not unbreakable."

The firm didn't reveal the full details of the hack. Vupen also hacked Firefox 3 and IE8 on Windows XP, as well as Safari 5 on OS X Snow Leopard at the contest.

Pwnium payout

At Google's own Pwnium contest, independent researcher Sergey Glazunov also found a way around Chrome's sandbox using vulnerabilities in the extension system.

Justin Schuh, security engineer at Google, said that Glazunov's exploit didn't break out out of the sandbox, but "avoided" it, letting an attacker do as he pleased in the browser.

"It was an impressive exploit," Schuh told ZDNet. "It required a deep understanding of how Chrome works."

Glazunov won $60,000 for the exploit, but it's not the first time the independent researcher has been paid by Google - he frequently picks up payment via the firm's bug bounty programme.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Google’s Grace Hopper subsea cable lands in Cornwall
Infrastructure

Google’s Grace Hopper subsea cable lands in Cornwall

15 Sep 2021
South Korea fines Google for abusing Android dominance
Policy & legislation

South Korea fines Google for abusing Android dominance

14 Sep 2021
Google handed user data to Hong Kong authorities despite pledge
privacy

Google handed user data to Hong Kong authorities despite pledge

13 Sep 2021
Google and Microsoft's hybrid work battle shows the narrative is just as important as the technology
collaboration

Google and Microsoft's hybrid work battle shows the narrative is just as important as the technology

9 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021