A hacking contest that makes sport out of serious security bugs paid $117,500 this week for exploits that compromised handheld devices powered by both Apple's iOS and Google's Android mobile operating systems.
The biggest of the three cash prizes was $50,000, paid to "Pinkie Pie," a pseudonymous hacker not yet past his 21st birthday, who already has collected at least two major bug bounties in the past 19 months. His previous hacks exploited vulnerabilities in Google's Chrome browser that gave him complete control of the underlying computer when it did nothing more than visit a booby-trapped website.
Like most modern browsers, Chrome is endowed with security mitigations designed to minimize the damage that can be done when hackers identify buffer overflows and other types of software bugs that are inevitable in just about all complex pieces of software. The security measures—which include "sandboxes" that contain Web content inside a carefully controlled perimeter—significantly increase the amount of work that attackers must put into developing working exploits. Also including address space layout randomization and data execution prevention, the mitigations require hackers to stitch together two or more attacks that exploit multiple vulnerabilities in the targeted device.
"The exploit took advantage of two vulnerabilities—an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape," Pwn2Own officials wrote about the Pinkie Pie hack. "The implications for this vulnerability are the possibility of remote code execution on the affected device."
A successful attack that fetched Pinkie Pie a $60,000 prize in early 2012 targeted at least six different security bugs to break out of the security sandbox fortifying the desktop version of Google's Chrome browser.
Separately, a hacking team from Mitsui Bussan Secure Directions in Japan won $40,000 for two exploits that compromised apps that are installed on all Samsung Galaxy S4 devices. After the S4 browsed a website under the group's control, they were able to access sensitive data stored on the device, including user contacts, bookmarks, browsing history, screenshots, and text messages. Officials with HP, which sponsors the Pwn2Own competition, didn't identify the specific apps that were targeted. The vulnerabilities have been privately reported to Samsung.
Source : Ars Technica
No comments