WebProNews

Tag: security rewards program

  • Google Patches Chrome Flaw In 24 Hours

    Google Patches Chrome Flaw In 24 Hours

    Yesterday we brought you news that Google had paid out $60,000 to Russian university student Sergey Glazunov for finding a security flaw in their Chrome browser. Glazunov, a participant in Google’s Pwnium contest, used a sandbox bypass to hack the latest version of Chrome running on a fully up-to-date Windows 7 PC. Google had offered a $60,000 prize to the first participant to identify a “full Chrome exploit” in the contest. With Glazunov’s success, Google happily paid him the money.

    And then they fixed the exploit. Less than 24 hours after Glazunov identified the exploit Google had begun rolling out an updated version of Chrome that patched it. In a post on the Google Chrome release blog last night, Google offered their congratulations to Glazunov and said that the exploit – which involved “UXSS and bad history navigation” – had been fixed. They also said, however, that the full details of the security flaw would be witheld until the update had been installed by the majority of Chrome users.

    Google’s Chrome browser has consistently gotten very high marks for its security, and has consistently fared far better than Microsoft’s Internet Explorer or Mozilla Firefox at the Pwn2Own hacking contest at the annual CamSecWest conference. Google has made a habit of rewarding those who are able to find security flaws in the software.

    Of course, it goes without saying that if you’re a Chrome user, you should make sure you have the latest update as soon as possible. The latest version is 17.0.963.78.

  • Google Chrome Hack Earns Student $60,000 At Pwnium

    The Google Chrome Security Team made the offer to hackers the world over: come to CanSecWest security conference, have a crack at finding Chrome exploits, win $60,000 if you succeed. A part of the Chromium Security Rewards Program, the contest is Google’s open-invitation to hackers to help Google identify exploits in the Chrome browser, which is based on the open-source project Chromium.

    That challenge was met with vigor but one Russian university student successfully hacked into a fully patched computer running Windows 7 (64-bit) by using a Chrome sandbox bypass. Sergey Glazunov, a security researcher and long-time Chromium contributor, collected the hacker bounty by being the first entry to locate a “full Chrome exploit.” Justin Schuh, a Chrome security team member, spoke to ZDNet following Glazunov’s triumph, calling the hack “very impressive.” He said Glazunov “executed code with full permission of the logged on user.”

    “This is not a trivial thing to do,” Schuh added. “It’s very difficult and that’s why we’re paying $60,000.”

    Senior Vice President of Google Chrome and Apps, Sundar Pichai, confirmed the successful hack on his Google+ page. Now that the hack is known throughout the developer world, Pichai understandably said, “We’re working fast on a fix that we’ll push via auto-update.”

    Google’s always boasted that their browser, Chrome, is of top-notch security standards but this excellence makes it harder for Chrome developers to actually improve the platform. No known problems, nothing to really fix, right? The Chrome Security Team explains on their blog,

    While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve. To maximize our chances of receiving exploits this year, we’ve upped the ante.

    While Glazunov is only the first to achieve the $60,000 prize, he by no means is meant to be the last. Google has said they will award prizes on $60,000, $40,000, and $20,000 levels based on various levels of exploits that hackers can successfully locate in Chrome. Google has said it will award up to a total of $1 million for all winning entries.