Google's browser was hacked within only five minutes as part of annual security contest.
Pwn2Own is an annual browser hacking contest held at CanSecWest in Vancouver. This year, following a disagreement with contest organisers Tipping Point over vulnerability disclosures, Google held its own competition at the same conference, offering a total of $1 million in potential prize money.
After avoiding being successfully attacked for three years thanks largely to its sandbox, which locks down executable code to prevent damage, Chrome was hacked at both Pwn2Own and Google's Pwnium.
For the former, Vupen Security's team used a pair of zero-day flaws - one targeting Windows, the other targeting Chrome's sandbox - to hack the browser mere minutes into the start of the contest.
We wanted to show that even Chrome is not unbreakable
While the hack only took five minutes to execute, Vupen has been developing the attack against Chrome's sandbox for six weeks, Bekrar told ZDNet.
"We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, according to Ars Technica. "We wanted to show that even Chrome is not unbreakable."
The firm didn't reveal the full details of the hack. Vupen also hacked Firefox 3 and IE8 on Windows XP, as well as Safari 5 on OS X Snow Leopard at the contest.
Pwnium payout
At Google's own Pwnium contest, independent researcher Sergey Glazunov also found a way around Chrome's sandbox using vulnerabilities in the extension system.
Justin Schuh, security engineer at Google, said that Glazunov's exploit didn't break out out of the sandbox, but "avoided" it, letting an attacker do as he pleased in the browser.
"It was an impressive exploit," Schuh told ZDNet. "It required a deep understanding of how Chrome works."
Glazunov won $60,000 for the exploit, but it's not the first time the independent researcher has been paid by Google - he frequently picks up payment via the firm's bug bounty programme.
-
Google rolls out patch for high-severity Chrome browser zero dayNews It's the eighth time this year Google has been forced to address a zero-day vulnerability in its world-leading browser
-
Google Chrome branded the least effective browser for stopping phishing attacksNews The world's most popular browser came dead last when compared against competitors
-
Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flawNews Chain of vulnerabilities used to attack multiple companies worldwide
-
Malware found on popular Facebook, Instagram and Vimeo browser extensionsNews Chrome and Edge extensions laced with malware have already been installed three million times
-
Google sets a date for Chrome extension privacy revamp
News From January 18th, developers must be clear about how they're handling user data
-
Google looks to replace third-party cookies in two yearsNews The online advertising market needs to shift to tracking methods that offer some user privacy, admits Google
-
Chrome continues HTTP phase-out by removing 'secure' icon from HTTPS sitesNews Changes in 'secure' and 'non secure' icons comprise final steps in plan to make web secure-by-default
-
Hack on popular Chrome plugin spams ads to one million usersNews The author says a phishing scam led to the theft of admin credentials
