Search
Sign in with
Sign up | Sign in
24 comments

Google Offering $20K for Chrome Pwn2Own Hack

By - Source: Tom's Hardware US

It’s that time of year again!

CanSecWest takes place on March 9 and as usual, there’ll be the annual Pwn2Own hacking contest. However, this year there’s a new platform on the block -- Google’s Chrome OS -- and the search giant is happy to encourage participants to give it all they’ve got. ZDNet reports that Mountain View is offering a prize of $20,000 for the first person to crack its Chrome OS notebook via a vulnerability and sandbox escape in the Chrome browser.

As for other OSes, CanSecWest is also offering cash prizes for those who successfully exploit previously unpublished browser flaws to remotely launch code against 64-bit Windows 7 or Mac OS X machines. IT Business Edge puts these prizes at $15,000 a piece and reports that Nokia’s Symbian has been dropped from the program this year.

For the last three years running, Charlie Miller has been the first to break Safari (in 2009 he hacked it in 10 seconds). At Pwn2Own 2010, Peter Vreugdenhil, an independent researcher, exploited two vulnerabilities in IE8 to break into a machine running a fully patched version of 64-bit Windows 7. A contestant named only as Nils broke through Firefox, also running 64-bit Windows 7.

Get Google Chrome from our downloads section.

Sources:
ZDNet
IT Business Edge
Tom’s Hardware

You need to be logged to post a comment

There are 24 Comments. B
Other Comments
  • 7 Ð
    joytech22 , February 4, 2011 10:45 AM
    It would suck if somebody managed to get into the netbook in under 5 minutes especially for Google.

    I wonder how long (or if they can) it will take to hack it :o 
  • 7 Ð
    Judguh , February 4, 2011 11:08 AM
    There's no if. 'Will' sounds more like it.
  • -2 Ð
    joelmartinez , February 4, 2011 11:33 AM
    This is just gonna make the Google sad, they are gonna get pwn'd easy
  • 0 Ð
    Blessedman , February 4, 2011 12:00 PM
    It is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.
  • 5 Ð
    palladin9479 , February 4, 2011 12:15 PM
    Well its the different mindsets involved. Paid for systems designers and engineers / programmers tend to think inside-the-box. Even their "outside the box" ideas are just using a bigger box then previously available. Its the side effects of an organized structured mind. World class hackers tend to have very unorganized unstructured minds, even though they can be very methodical their methods and tactics are usually creative and unorthodox. They try things no one else would think to do in ways no one would think were possible.
  • 5 Ð
    amnotanoobie , February 4, 2011 12:21 PM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.


    They don't hack it in 10 minutes. They research prior to Pwn2Own, some take days, some months to find just one bug in the huge number of libraries and runtimes.

    Today's software are more complex, a lot more functionality is expected thus more things could go wrong.
  • 1 Ð
    FloKid , February 4, 2011 1:02 PM
    Wow, 20 years to learn how to crack and all you get is 30k??? That must be a typo :- )
  • 4 Ð
    zerapio , February 4, 2011 1:02 PM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.

    Charlie Miller has a PhD in Mathematics. I'm going to go way out on a limb and say that counts as a degree.
  • 4 Ð
    beruli , February 4, 2011 1:03 PM
    If I were Google, I would offer $20,000 to hack my system, could you imagine what it costs them to find security flaws and holes in the system. There going to have hackers all over the world trying to hack their system for a wad of cash and then Google will turn around and fix them for a mere $20,000, money well spent if you ask me.
  • 3 Ð
    iamtheking123 , February 4, 2011 1:08 PM
    So the going rate is $20k per single bug...yeah that's a good system *eye roll* Anyways why bother saying Charlie did a hack in 10 seconds? It's not like he actually sat down and discovered the exploit in 10 seconds, it just too him 10 seconds to hit play.
  • -1 Ð
    PreferLinux , February 4, 2011 1:44 PM
    I wonder how they would get on with an almost fully locked-down and fully patched machine running Linux with the latest version of Firefox???
  • 1 Ð
    dkant1n , February 4, 2011 4:11 PM
    20k is pocket change for Google and the publicity that they have a "secure" OS is priceless
  • 2 Ð
    molo9000 , February 4, 2011 4:37 PM
    joytech22It would suck if somebody managed to get into the netbook in under 5 minutes especially for Google.I wonder how long (or if they can) it will take to hack it


    The amount of time it takes is pretty irrelevant.
    The contestants don't come to these events unprepared. They know what the systems are going to be and have their exploits prepared.
    They either crack it or don't.
  • 1 Ð
    zak_mckraken , February 4, 2011 8:05 PM
    I'm sure there's no "if" about Chrome getting hacked. The question "how long will it take?" is also irrelevant, since had it's been pointed out, the contestants come prepared. If it's not done in less than 2-3 minutes, it probably won't be done at all.
  • 6 Ð
    jryan388 , February 4, 2011 8:20 PM
    But, honestly, how much do vulnerabilities matter, if there are enough ignorant people that click here to "run a free virus scan"?
  • 0 Ð
    alidan , February 4, 2011 9:09 PM
    iamtheking123So the going rate is $20k per single bug...yeah that's a good system *eye roll* Anyways why bother saying Charlie did a hack in 10 seconds? It's not like he actually sat down and discovered the exploit in 10 seconds, it just too him 10 seconds to hit play.


    because if the process isn't macroed (i don't think it is), than it all has to be typed in. and 10 seconds for that is VERY impressive.

    and do they just pay the fastest, or to they also pay for every one?
  • 8 Ð
    TheOnion , February 4, 2011 9:16 PM
    All security is an illusion. Why do we put deadbolts on our doors when there is a glass window 3 feet away? If someone wants to get in, they will.
  • 2 Ð
    pale paladin , February 4, 2011 10:38 PM
    this is awesome for Dev and pushes the limits and boundaries of what the big boys think is possible. It is a positive event for SecDevs and Hacks alike. I hope this year will be awesome just like last year.
  • 3 Ð
    aaron88_7 , February 5, 2011 12:48 AM
    TheOnionAll security is an illusion. Why do we put deadbolts on our doors when there is a glass window 3 feet away? If someone wants to get in, they will.

    Breaking a window causes noise and draws attention, walking through an unlocked door makes no noise and draws virtually no attention. Saying security is an illusion only shows you clearly don't work in IT or understand the importance of security. Corporations spend millions on security for a good reason, even if you don't understand that reason.
  • 1 Ð
    dgingeri , February 5, 2011 1:45 AM
    BlessedmanIt is funny that you can go out and hire the best programmers in the world. Hire a ton more engineers and have them all collaborate on a secure system and it will take someone with no degrees or certs 10 minutes to take complete control of a supposed secured network device. Having said that, I am going to go way way out on a limb and say that Google will not give away any money this round.


    That's the main problem. put more people onto a project, and loopholes, errors, and malfunctions will appear more often. Complexity is the enemy. The advantage with Google's Chome OS is that it is remarkably simple. I think it will be very difficult to defeat it. It will get hacked eventually, but it will probably be the last OS to get hacked.

    Also note that all of the hacks used last year were javascript hacks. If you block that at the browser, it gets much harder to hack. That's where noscript and flashblocker come in handy.
Display more comments
Related Content