Hackers found and exploited two previously unknown security flaws in Google Chrome at a Vancouver IT security conference this week — the first time the browser has succumbed in such competitions.
The Pwn2Own and Pwnium competitions at the CanSecWest conference continue through Friday, but as of Wednesday, the first day of the competition, the Chrome browser had already taken a bit of a beating.
A team for Vupen Security managed to demonstrate a previously unknown security vulnerability in Chrome within the first five minutes of the Pwn2Own contest, organized by HP Tippingpoint, the contest said in a congratulatory tweet Wednesday.
"Google Chrome is probably one of the most secure browsers and it was a big challenge for us to defeat its sandbox protection and show that it can be fully compromised," Chaouki Bekrar, CEO of Vupen Security, said in an email Thursday.
He said his team made a web page that could be visited by a user on an updated Windows system and fully updated Chrome browser. The web page contained code capable of "bypassing all security protections" on the browser and executing a command on the user's computer.
The contest is in its fifth year at the conference, and this is the first time that Chrome has succumbed to the work of the IT security experts at the conference, said Aaron Portnoy, manager of security research at HP Tippingpoint. In previous years, security flaws have been found in other browsers.
Meanwhile, Sergey Glazunov, a longtime contributor to the Google Chrome security program, successfully demonstrated a "full Chrome exploit" while competing remotely in the Google-sponsored Pwnium contest, which is focused only on the Chrome browser. He qualified for $60,000 out of up to $1 million that Google has set aside for the competition, which is in its first year.
"This is exciting," Sundar Pichai, senior vice-president of Chrome, said in a posting on the Google Plus social network Wednesday afternoon.
Created its own contest
Google has previously sponsored Pwn2Own, but pulled out this year in favour of its own contest, saying it did so because it found contestants could enter without having to reveal all the details of their security exploits to vendors such as Google.
Bekrar said his company doesn't accept the requirement to report the entire code of its exploit.
According to Pwn2Own's Twitter feed, Google claims it has a way of blocking Vupen Security's new exploit "without having seen it."
As of Thursday afternoon, Google had not responded to a request for comment from CBC news.
The Pwn2Own contest also includes a challenge in which competitors try to exploit vulnerabilities that have already been patched in the latest versions of Firefox, Internet Explorer, Safari and Chrome browsers. Competitors gain points for each success.
As of Thursday, Vupen Security managed to succeed in two challenges each for Internet Explorer and Safari, as well as one for Firefox and looked well on its way to winning the top prize of $60,000, sponsored by Hewlett Packard.