VANCOUVER, British Columbia — Just hours before the end of Google’s $1 million hack challenge, a teenager who once applied to work at Google without getting a response, hacked the company’s Chrome browser using three zero-day vulnerabilities, one of which allowed him to escape the browser’s security sandbox.
The tall teen, who asked to be identified only by his handle “Pinkie Pie” because his employer did not authorize his activity, spent just a week and a half to find the vulnerabilities and craft the exploit, achieving stability only in the last hours of the contest.
A demonstration of the teen’s hack took a slight departure from other hack demonstrations this week. Instead of opening the calculator application on the targeted machine to demonstrate success, Pinkie Pie’s hack ended with an image of an axe-wielding Pinkie Pie pony, a character from the wildly popular My Little Pony animated TV series.
The hack qualifies him for one of the top $60,000 prizes that are part of Google’s $1 million Pwnium challenge, and could be the launch of a new security career.
The teen said the escape from the sandbox was surprisingly more easy to do than other parts of his exploit.
“I got lucky because I found a way to do that relatively early,” he said.
The sandbox is a security feature in Chrome and some other browsers that’s meant to contain malware and keep it from breaking out of the browser and affecting a computer’s operating system and other applications. Sandbox vulnerabilities are highly prized, because they’re rare, hard to find and allow an attacker to escalate his control of a system.
Google declined to discuss details of the three vulnerabilities the teen used in his exploit until the company can create and distribute a patch.
He dropped the exploit just hours before the end of the three-day contest, which was held at the CanSecWest conference in Canada.
Pinkie Pie was one of only two contestants in the contest, which Google launched only this year. The other contestant was Russian university student Sergey Glazunov whose zero-day exploit kicked off the contest on Wednesday for another $60,000 win.
Glazunov’s attack took advantage of the Chrome extension subsystem to sidestep the browser’s sandbox. The exploit used two zero-day vulnerabilities, which Google quickly patched within a day of Glazunov’s demonstration.
Glazunov has an advantage over Pinkie Pie in hacking Chrome. He’s one of Google’s most prolific bug finders and earned around $70,000 for previous bugs he’s found under the company’s year-round bug bounty program. As such, he’s very familiar with the Chrome code base.
Pinkie Pie, wearing shorts, a t-shirt and glasses, said he’d never submitted a vulnerability report to Google before, but he had sent his resume to the company last year seeking a job. He wrote in his cover note that he could crack Chrome on OSX, but he never got a reply.
But now it looks like the teen might soon be riding his pony into the Googleplex. A member of Google’s security team on-site at the conference said they’d be sure to follow up on his resume now.
Photo: Kim Zetter/Wired