At the end of February 2012, Google was informing skilled hackers that it will pay up to $1 million total prizes for those of them who succeed in hacking Google Chrome. The contest was scheduled to take place during the Pwn2Own annual hacker contest. And it seems that the $1 million incentive was good enough as French hackers brought down Google Chrome from the first day of the Pwn2Own.
Interesting enough is that during the previous editions of the annual hacker contest Pwn2Own, nobody seemed to give Google Chrome a go. The official explanation was that Google Chrome didn’t seem to have any vulnerabilities, while everything else from Internet Explorer to Safari did.
So, the genius minds with Google Chrome figured out they need to attract the crème du crème when it comes to hackers. As they put it, as proud as they are “of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve”. And just like other industries, whenever you want high achievers give good enough incentives. Thus, French hackers gave Google enough exploits “to learn and improve”.
During the annual CanSecWest security conference taking place in Vancouver, hacker team Vupen, intrigued by Google’s incentive, focused their best in hacking Chrome. Backed by a six weeks plan of attack against Chrome, Vupen successfully cracked the browser. They used 2 zero-day type exploits coupled with a bait website that once accessed would open the Chrome extension outside the safe sandbox area. In other words, Vupen managed to be in full control of Chrome’s sandbox.
However, Google dismissed their hacking, saying that their method was not in accordance with the contest’s rules. Basically, as Vupen’s video evidence of how they brought Google Chrome down showed, the team implemented their exploits thanks to the use of a code not accepted by the rules. As experts point out it seems that Flash was the third party code that allowed the hackers get in control of Chrome.
Vupen co-founder Chaoki Bekrar admitted that the task wasn’t exactly easy. He stated: “the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox”.