Chrome ”first to fall” in hacking competition

Google loves to brag about how secure its Chrome browser is, and the results of last year’s Pwn2Own hacking competition only gave the company more ammo. Well, at this year’s event, some hackers wanted to feed Google humble pie—and they did.

As ZDNet reports, security researcher Chaouki Bekrar and his team managed to take "complete control of a fully patched 64-bit Windows 7 (SP1) machine" using two zero-day vulnerabilities in Google’s browser. Chaouki said the feat took six weeks of preparatory work that involved locating the vulnerabilities and writing code to exploit them.

Chrome ended up being the first browser to fall at the competition yesterday. "We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year," said Bekrar. The hacking competition was part of this year’s CanSecWest conference, which is still going on today and tomorrow in Vancouver, Canada.

There was more on the line than hacker cred and some free PR for Bekrar, of course. Google is actively encouraging hackers to find holes in Chrome. Last month, the company said it would be offering $1 million in prizes for hackers who find holes in the browser. Finding a "full Chrome exploit" entails a $60,000 prize, and Google throws in a free Chromebook. Cash prizes are also awarded for the discovery of security holes involving other software but liable to affect Chrome users. (Thanks to TR reader SH SOTN for the link.)

Comments closed
    • blitzy
    • 8 years ago

    doesn’t sounds like anything to worry about, had their team focused on any of the browsers they would probably have managed to find an exploit. From what I have seen of Google they are pretty good about patching issues, and sticking up a 1mil prize pool shows they are pretty serious about it.

      • jpostel
      • 8 years ago

      I think this makes for some good PR for Google, and as long as the vulnerabilities are quickly patched, it makes for a better browser for Chrome users.

    • willyolio
    • 8 years ago

    damn. and apple’s been consistently taking first place in these several years running, and it takes them no effort at all!

    Google had to spend $60,000 on this team to get first place! ha! take that, Google!

    • indeego
    • 8 years ago

    [url<]http://www.chromium.org/Home/chromium-security/hall-of-fame[/url<] Sergey just made another $60K on top of that...

    • Corrado
    • 8 years ago

    Weren’t they the ones thumping their chests last year because they were the last to be exploited? Times change I guess, when you’re in such a rapid development cycle.

    • l33t-g4m3r
    • 8 years ago

    I think the Google team could probably find a few exploits, namely the ones they put in their browser to spy on you.

      • Farting Bob
      • 8 years ago

      I need more tinfoil, my hat isnt thick enough!

        • axeman
        • 8 years ago

        I wear a lead toque.

        • danny e.
        • 8 years ago

        you and all the voters apparently don’t pay attention to how Google spies on everything you do.
        Never trust a company whose sole revenue source is sharing your data with advertisers. (eg facebook, google)

    • Krogoth
    • 8 years ago

    Anything can potential be “cracked”.

    The real question should be, is the target worth cracking? 😉

    • Xenolith
    • 8 years ago

    The Chrome security model is still the best. With that said, there will be more exploits found.

      • Madman
      • 8 years ago

      Unless the hacker wants to hack tab A from tab B, it’s the same damn thing.

      • Sahrin
      • 8 years ago

      I don’t know if I’d call it the “Chrome security model” – they’re using instancing and sandboxing – features provided by Windows to all applications.

        • Chun¢
        • 8 years ago

        Where do you think windows got it’s anti-virus chops from? They were the only platfrom that was worth hacking back during the XP times.

    • entropy13
    • 8 years ago

    Sorry Google, but Apple products and software are the only ones that are forever pure and free from taint.

    Hail Apple! Glory be to the Blessed Company!

      • pogsnet1
      • 8 years ago

      Haha you probably don’t know yet.

      [url<]http://www.dailytech.com/Apples+OS+X+is+First+OS+to+be+Hacked+at+This+Years+Pwn2Own/article21097.htm[/url<]

        • faramir
        • 8 years ago

        1, 2, 3 checking … Is your sarcasm detector still off ?

          • entropy13
          • 8 years ago

          Maybe he…

          probably don’t know yet. lol

        • entropy13
        • 8 years ago

        Obviously black propaganda from heathens.

      • derFunkenstein
      • 8 years ago

      haha, you said “taint”

        • Lucky Jack Aubrey
        • 8 years ago

        ‘taint funny.

        (actually it made me chuckle; I just wanted to say ‘taint funny)

          • entropy13
          • 8 years ago

          Hooray for punny funs!

    • Arag0n
    • 8 years ago

    Bye bye unhackable tag….

      • stdRaichu
      • 8 years ago

      Calling anything unhackable is like calling the titanic unsinkable. The fact that google are giving (admittedly small) bounties to people who discover and report vulns in chrome is a tacit admission that they realise no software is perfect.

      Who’s calling chrome unhackable anyway?

      Disclaimer: I’m a firefox user and actively dislike chrome, so no pro-google fanboyism intended.

        • shank15217
        • 8 years ago

        Lol google isn’t dumb, they say those things to encourage the hacking. Several weeks with a team to find a hack is heavy on resources and time and they just gave google a means to improve their browser. Try to read between the lines especially in the comp sec field.

          • timaeus
          • 8 years ago

          Exactly. They aren’t offering the bounty as a way of “proving” how secure it is. It’s a relatively cheap way of hiring skilled labor to find their vulnerabilities.

      • Farting Bob
      • 8 years ago

      Who said it was unhackable?

        • eitje
        • 8 years ago

        [url<]http://www.google.com/search?q=google+chrome+unhackable[/url<]

Pin It on Pinterest

Share This