By exploiting the zero-day vulnerabilities, Pinkie Pie was able to escape the browser’s sandbox, earning $60,000 for the effort. “Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition”, wrote Jason Kersey with Google Chrome. Kersey identified two of the flaws that Pinkie Pie exploited: an errant plug-in load and GPU processing memory corruption.
This followed the successful compromise of the Chrome browser by Sergey Glazunov, using two vulnerabilities, for which he also earned $60,000 as part of the Pwnium contest. Glazunov exploited two separate bugs in Chrome – universal cross-site scripting and bad history navigation bugs – to compromise the browser.
“We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future”, Kersey wrote. He said that the company is working on additional changes and hardening measures to plug the vulnerabilities.