Chrome hacked in five minutes

Chrome gets hacked in super quick time, showing no browser is safe.

Chrome

Google's browser was hacked within only five minutes as part of annual security contest.

Pwn2Own is an annual browser hacking contest held at CanSecWest in Vancouver. This year, following a disagreement with contest organisers Tipping Point over vulnerability disclosures, Google held its own competition at the same conference, offering a total of $1 million in potential prize money.

Advertisement - Article continues below

After avoiding being successfully attacked for three years thanks largely to its sandbox, which locks down executable code to prevent damage, Chrome was hacked at both Pwn2Own and Google's Pwnium.

For the former, Vupen Security's team used a pair of zero-day flaws - one targeting Windows, the other targeting Chrome's sandbox - to hack the browser mere minutes into the start of the contest.

We wanted to show that even Chrome is not unbreakable

While the hack only took five minutes to execute, Vupen has been developing the attack against Chrome's sandbox for six weeks, Bekrar told ZDNet.

"We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, according to Ars Technica. "We wanted to show that even Chrome is not unbreakable."

The firm didn't reveal the full details of the hack. Vupen also hacked Firefox 3 and IE8 on Windows XP, as well as Safari 5 on OS X Snow Leopard at the contest.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Pwnium payout

At Google's own Pwnium contest, independent researcher Sergey Glazunov also found a way around Chrome's sandbox using vulnerabilities in the extension system.

Justin Schuh, security engineer at Google, said that Glazunov's exploit didn't break out out of the sandbox, but "avoided" it, letting an attacker do as he pleased in the browser.

"It was an impressive exploit," Schuh told ZDNet. "It required a deep understanding of how Chrome works."

Glazunov won $60,000 for the exploit, but it's not the first time the independent researcher has been paid by Google - he frequently picks up payment via the firm's bug bounty programme.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/ransomware/355909/microsoft-issues-warning-about-new-ponyfinal-ransomware-attacks
ransomware

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
Visit/security/data-breaches/355908/amtrak-guest-reward-suffers-a-data-breach
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
Visit/security/cyber-security/355903/brand-impersonation-and-form-based-attacks-are-rising
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020
Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/security/exploits/355866/critical-vmware-cloud-director-exploit-lets-hackers-seize-corporate
exploits

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020