Researcher Sergey Glazunov hacked the Chrome browser using two vulnerabilities, earning $60,000 out of the $1 million possible purse in the Google-sponsored Pwnium contest.
Glazunov exploited two separate bugs in Chrome – universal cross-site scripting and bad history navigation bugs – to compromise the browser.
Google’s Sundar Pichai said in a blog that the company was “working fast on a fix” to the exploit. True to Pichai’s pledge, Google pushed out a patch on Thursday.
In addition, a research team from the French firm Vupen succeeded in compromising Chrome in the Pwn2Own contest, giving them 32 points in the competition.
The Vupen team told ZDNet that they deliberately targeted the Chrome browser to show that no software is unbreakable if hackers have enough motivation to prepare and launch an attack.
”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox”, said team leader Chaouki Bekrar. According to a tweet from the Vupen team, the exploit involved a “code execution and sandbox escape (medium integrity process resulted).”
As part of the new format at Pwn2Own, researchers receive points rather than money for successfully hacking a web browser. The team with the most points wins the grand prize of $60,000.