Chrome Owned by Exploits in Hacker Contests, But Google’s $1M Purse Still Safe

Team Vupen's five members demonstrated a valuable zero-day exploit against the Chrome browser during the Pwn2Own hacking contest in Vancouver. The team included (left to right) Vupen Security co-founder Chaouki Bekrar and four colleagues who wanted to be identified only by their first names, Matthieu, Alexandre, Jordan and Nicolas. (Photo: Kim Zetter/

VANCOUVER, British Columbia — A $1 million purse that Google has offered to hackers who can produce zero-day exploits against its Chrome browser appears to be safe after the first day of its three-day Pwnium hacking contest, which yielded just one contestant and one successful zero-day attack.

The absence of competitors has made for a very quiet contest, particularly since the sole competitor in the Google competition so far didn’t even show up for the event. The successful attack code, which actually exploited two vulnerabilities in Chrome, was developed by Russian university student Sergey Glazunov, who lives somewhere outside Siberia and sent in his code via a proxy who was present at the contest event.

Glazunov earned $60,000 from Google for his exploit. The remaining $940,000 in the purse, which Google has promised to pay out in increments of $60,000, $40,000 and $20,000 – depending on the severity and characteristics of the exploits – is awaiting other challengers who so far have yet to join the contest.

According to the rules of the Pwnium contest, (pronounced Ponium in hackerspeak), Glazunov is required to hand over details about the vulnerabilities he uncovered and the exploits he created so that Google can patch the security holes.

“We’re very happy because we have the full exploits, we have the full details. We’ll be able to figure out everything that needs to be fixed,” said a member of Google’s security team, who asked not to be identified because he wasn’t authorized to speak with the press.

Glazunov’s attack takes advantage of the Chrome extension subsystem to sidestep the browser’s sandbox, according to the security team member, but he declined to offer any additional details while the company works on patches for the vulnerabilities.

The sandbox is a security feature in Chrome that’s meant to contain malware and keep it from breaking out of the browser and affecting a computer’s operating system and other applications. Sandbox vulnerabilities are highly prized, because they’re rare and hard to find and allow an attacker to escalate his control of a system.

Glazunov has an advantage in trying to cash in on Google’s bounty. He’s one of Google’s most prolific bug finders, has earned around $70,000 for previous bugs he’s found under the company’s year-round bug bounty program, and is familiar with the Chrome code base.

Google’s Pwnium challenge, held for the first time this year, is playing out at the CanSecWest security conference in parallel with another hacking contest, Pwn2Own, which also produced a successful zero-day attack against Chrome on Wednesday.

Both contests were aimed this year at uncovering security vulnerabilities in browsers, so that they could be fixed. While Pwnium focused only on Chrome, Pwn2Own asked contestants to find zero-days in Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. The contest provides the makers of browser software with valuable information about security flaws in their products, without having to spend the time and resources to uncover the vulnerabilities themselves.

The successful Chrome zero-day attack in the Pwn2Own contest was conducted by a five-man team from the French firm Vupen Security, which sells exploits to government customers. Vupen’s attack, which exploited two vulnerabilities that are different from the ones Glazunov exploited, put the team in the lead to win a separate $60,000 payoff being offered by HP Tipping Point, which sponsors the Pwn2Own contest.

The Vupen team, composed of company co-founder Chaouki Bekrar and four colleagues, spent about six weeks researching vulnerabilities and developing the exploit. The first vulnerability attack involves bypassing the data execution prevention (DEP) and address space layout randomization (ASLR) features in Windows; the second attack breaks the attackers out of the Chrome sandbox.

The team, dressed in matching black “hoodies” with their company name on the back, demonstrated a hack using the exploit that involved a malicious web page containing the exploit code. When the target machine using the Chrome browser visited the page, the exploit automatically executed and opened the calculator application.

Because the exploit had been prepared in advance of the conference, it took just a short time after the contest launched for them to demonstrate their attack using it.

Bekrar provided details of the first vulnerability to HP Tipping Point so that it can be fixed, but declined to discuss the nature of the second one, saying he would be withholding that information and the exploit to sell to his customers. Under the rules of the Pwn2Own contest, winners aren’t required to hand over details about sandbox exploits.

The reporting rule has stirred up controversy and was the reason Google launched its own exploit challenge this year, instead of simply adding its bounty money to the Pwn2Own contest. Pwn2Own organizer Aaron Portnoy, who is manager of Tipping Point’s security research team, told Wired that no one would want to participate in the contest if they had to disclose details about sandbox exploits, since these exploits can earn much more money on the open and underground markets than the $60,000 the contest pays out.

A Google engineer offered Bekrar $60,000 on top of the $60,000 he stands to earn in the Pwn2Own contest if he handed over the sandbox exploit and details. But Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million. After the Google engineer left the conversation, Bekrar told Wired that money wasn’t the main enticement for him and he had no plans to hand over the exploit to Google.

The Google security team member expressed frustration at Bekrar’s reluctance to provide information about the vulnerability so that it could be fixed.

“We’re trying to get information out of somebody so that we can fix it, but nobody’s willing to give anything to us,” he said. “[Without that information] it’s not about protecting users anymore, it’s about showing off. It’s good for stroking egos, but aside from that it doesn’t make the web safer.”

The Pwn2Own contest consists of two parts. The first part is the zero-day contest, in which contestants can bring zero-day exploits they’ve created in advance. If the exploit works, they earn 32 points for the exploit.

The second part of the contest consists of on-the-fly exploits that contestants are required to develop for browser vulnerabilities that have already been patched. They’re only told which vulnerabilities they’ll have to write exploits for after the contest begins, and can earn 10 points on the first day of the contest for every successful exploit against a patched vulnerability, and 9 and 8 points for each day thereafter. At the end of the contest, the points are added up and the first-place winner gets $60,000, followed by the second place prize of $30,000 and a third-place prize of $15,000.

Bekrar said his team has three other zero-day exploits in its pocket, each aimed at the other three browsers in the contest – Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but would only bust them out if it looked like a competitor might show up who seriously threatened their lead position. In addition to demonstrating their zero-day Chrome exploit on Wednesday, the team produced three exploits on-the-fly for patched vulnerabilities in Internet Explorer, Firefox and Safari.

So far only one other team is competing in the Pwn2Own contest, but that team, composed of two men, has yet to submit any exploits or even show up in the contest room, preferring to work remotely in another part of the hotel where the conference is being held.