Sign in with
Sign up | Sign in

Google Offering $20K for Chrome Pwn2Own Hack

By - Source: Tom's Hardware US | B 24 comments

It’s that time of year again!

CanSecWest takes place on March 9 and as usual, there’ll be the annual Pwn2Own hacking contest. However, this year there’s a new platform on the block -- Google’s Chrome OS -- and the search giant is happy to encourage participants to give it all they’ve got. ZDNet reports that Mountain View is offering a prize of $20,000 for the first person to crack its Chrome OS notebook via a vulnerability and sandbox escape in the Chrome browser.

As for other OSes, CanSecWest is also offering cash prizes for those who successfully exploit previously unpublished browser flaws to remotely launch code against 64-bit Windows 7 or Mac OS X machines. IT Business Edge puts these prizes at $15,000 a piece and reports that Nokia’s Symbian has been dropped from the program this year.

For the last three years running, Charlie Miller has been the first to break Safari (in 2009 he hacked it in 10 seconds). At Pwn2Own 2010, Peter Vreugdenhil, an independent researcher, exploited two vulnerabilities in IE8 to break into a machine running a fully patched version of 64-bit Windows 7. A contestant named only as Nils broke through Firefox, also running 64-bit Windows 7.

Get Google Chrome from our downloads section.

Sources:
ZDNet
IT Business Edge
Tom’s Hardware

Discuss
Display all 24 comments.
This thread is closed for comments
  • 7 Hide
    joytech22 , February 4, 2011 2:45 AM
    It would suck if somebody managed to get into the netbook in under 5 minutes especially for Google.

    I wonder how long (or if they can) it will take to hack it :o 
  • 7 Hide
    Judguh , February 4, 2011 3:08 AM
    There's no if. 'Will' sounds more like it.
  • -2 Hide
    joelmartinez , February 4, 2011 3:33 AM
    This is just gonna make the Google sad, they are gonna get pwn'd easy
  • 0 Hide
    Blessedman , February 4, 2011 4:00 AM
    It is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.
  • 5 Hide
    palladin9479 , February 4, 2011 4:15 AM
    Well its the different mindsets involved. Paid for systems designers and engineers / programmers tend to think inside-the-box. Even their "outside the box" ideas are just using a bigger box then previously available. Its the side effects of an organized structured mind. World class hackers tend to have very unorganized unstructured minds, even though they can be very methodical their methods and tactics are usually creative and unorthodox. They try things no one else would think to do in ways no one would think were possible.
  • 5 Hide
    amnotanoobie , February 4, 2011 4:21 AM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.


    They don't hack it in 10 minutes. They research prior to Pwn2Own, some take days, some months to find just one bug in the huge number of libraries and runtimes.

    Today's software are more complex, a lot more functionality is expected thus more things could go wrong.
  • 1 Hide
    FloKid , February 4, 2011 5:02 AM
    Wow, 20 years to learn how to crack and all you get is 30k??? That must be a typo :- )
  • 4 Hide
    zerapio , February 4, 2011 5:02 AM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.

    Charlie Miller has a PhD in Mathematics. I'm going to go way out on a limb and say that counts as a degree.
  • 4 Hide
    beruli , February 4, 2011 5:03 AM
    If I were Google, I would offer $20,000 to hack my system, could you imagine what it costs them to find security flaws and holes in the system. There going to have hackers all over the world trying to hack their system for a wad of cash and then Google will turn around and fix them for a mere $20,000, money well spent if you ask me.
  • 3 Hide
    iamtheking123 , February 4, 2011 5:08 AM
    So the going rate is $20k per single bug...yeah that's a good system *eye roll* Anyways why bother saying Charlie did a hack in 10 seconds? It's not like he actually sat down and discovered the exploit in 10 seconds, it just too him 10 seconds to hit play.
  • -1 Hide
    PreferLinux , February 4, 2011 5:44 AM
    I wonder how they would get on with an almost fully locked-down and fully patched machine running Linux with the latest version of Firefox???
  • 1 Hide
    dkant1n , February 4, 2011 8:11 AM
    20k is pocket change for Google and the publicity that they have a "secure" OS is priceless
  • 2 Hide
    molo9000 , February 4, 2011 8:37 AM
    joytech22It would suck if somebody managed to get into the netbook in under 5 minutes especially for Google.I wonder how long (or if they can) it will take to hack it


    The amount of time it takes is pretty irrelevant.
    The contestants don't come to these events unprepared. They know what the systems are going to be and have their exploits prepared.
    They either crack it or don't.
  • 1 Hide
    zak_mckraken , February 4, 2011 12:05 PM
    I'm sure there's no "if" about Chrome getting hacked. The question "how long will it take?" is also irrelevant, since had it's been pointed out, the contestants come prepared. If it's not done in less than 2-3 minutes, it probably won't be done at all.
  • 6 Hide
    jryan388 , February 4, 2011 12:20 PM
    But, honestly, how much do vulnerabilities matter, if there are enough ignorant people that click here to "run a free virus scan"?
  • 0 Hide
    alidan , February 4, 2011 1:09 PM
    iamtheking123So the going rate is $20k per single bug...yeah that's a good system *eye roll* Anyways why bother saying Charlie did a hack in 10 seconds? It's not like he actually sat down and discovered the exploit in 10 seconds, it just too him 10 seconds to hit play.


    because if the process isn't macroed (i don't think it is), than it all has to be typed in. and 10 seconds for that is VERY impressive.

    and do they just pay the fastest, or to they also pay for every one?
  • 8 Hide
    TheOnion , February 4, 2011 1:16 PM
    All security is an illusion. Why do we put deadbolts on our doors when there is a glass window 3 feet away? If someone wants to get in, they will.
  • 2 Hide
    pale paladin , February 4, 2011 2:38 PM
    this is awesome for Dev and pushes the limits and boundaries of what the big boys think is possible. It is a positive event for SecDevs and Hacks alike. I hope this year will be awesome just like last year.
  • 3 Hide
    aaron88_7 , February 4, 2011 4:48 PM
    TheOnionAll security is an illusion. Why do we put deadbolts on our doors when there is a glass window 3 feet away? If someone wants to get in, they will.

    Breaking a window causes noise and draws attention, walking through an unlocked door makes no noise and draws virtually no attention. Saying security is an illusion only shows you clearly don't work in IT or understand the importance of security. Corporations spend millions on security for a good reason, even if you don't understand that reason.
  • 1 Hide
    dgingeri , February 4, 2011 5:45 PM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.


    That's the main problem. put more people onto a project, and loopholes, errors, and malfunctions will appear more often. Complexity is the enemy. The advantage with Google's Chome OS is that it is remarkably simple. I think it will be very difficult to defeat it. It will get hacked eventually, but it will probably be the last OS to get hacked.

    Also note that all of the hacks used last year were javascript hacks. If you block that at the browser, it gets much harder to hack. That's where noscript and flashblocker come in handy.
Display more comments