After managing to remain unscathed for four consecutive years, Google Chrome has finally been breached, and Google is rewarding the hacker with $60,000. Google Chrome’s security features were bypassed successfully by hackers in both Pwn2Own and Pwnium.
Pwn2Own is an annual hacking fest sponsored by HP, which challenges hackers to breach fully patched web browsers and operating systems. Google Chrome was the only browser that couldn’t be hacked for the past four years. This year, it was the first to fall. A team from the French security firm VUPEN, lead by its co-founder and head of research Chaouki Bekrar, managed to take complete control of a fully patched 64-bit Windows 7 (SP1) machine within five minutes by using two zero-day exploits. VUPEN also claims to have zero-day exploits for Internet Explorer, Firefox, and Safari.
This year, Google is also running its own competition called Pwnium, which has a total bounty of $1 million. Google decided against sponsoring Pwn2Own, since its new rules don’t compel hackers to responsibly disclose vulnerabilities to the software developer. VUPEN itself intends on selling the exploits to its clients. Sergey Glazunov, a Russian university student, managed to bypass Google Chrome’s sandbox feature in Pwnium.
The breaches mean that Google will no longer be able to tout its clean record. However, Chrome developers aren’t mourning. While announcing the contest, Chris Evans and Justin Schuh from Chrome’s security team had explained that they have a big learning opportunity when they receive full end-to-end exploits. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing”.