Google turned over $40,000 to Pinkie Pie, who, according to Chris Evans, Google’s chief reward officer, submitted a “plausible bug chain involving video parsing, a Linux kernel bug and a config file error. The submission included an unreliable exploit demonstrating one of the bugs.”
Evans noted, “We’ve fixed most of these bugs already.” However, he added that “we’d like to thank Pinkie Pie for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures and keep users safe.”
Pinkie Pie came to fame during the first Pwnium in May 2012, with a compromise of the Chrome browser using three zero-day vulnerabilities in the closing hours of the hacking competition. Then, last October, Pinkie Pie nabbed a $60,000 prize from Google for launching a full Chrome exploit as part of the Hack in the Box conference.
With the Pwnium 3 success, Pinkie Pie has a trifecta under the belt. The teen may be the most high-profile Chrome hacker at the moment, but he or she is certainly not the only one. In the parallel Pwn2Own contest, the top prize for a Chrome exploit was claimed by Nils and Jon of MWR Labs.
“We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop,” the firm said. “By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.”
Of the two bugs used, one was in the Chrome code, which Evans said Google fixed in 24 hours. “Thankfully, recently deployed hardening measures protected Chrome OS users. The second bug was in the Windows kernel,” Evans said. “The new Pwn2Own rules required the researcher to hand the bug and exploit over to Microsoft, so we’re delighted that the Chrome entry will make other products safer, beyond just Chrome.”
Apart from the periodic hack-a-thons, Google also has a Chromium Vulnerability Reward Program, which covers not only the Chrome desktop browser, but also all Chrome OS components and Chrome on mobile devices.
“We’ve given away more than $900,000 in rewards over the years and we’re itching to give more, as engaging the security community is one of the best ways to keep all Internet users safe,” Evans said.