Google bets million bucks its Chrome Web browser can't be busted

Google bets million bucks its Chrome Web browser can't be busted

Summary: Google is dropping out of the Pwn2Own security competition and offering up to a million dollar in prizes to hackers who can crack the Chrome Web browser on Windows 7.


Google bets big that its Chrome Web browser can't be busted.

Google bets big that its Chrome Web browser can't be busted.

Google is putting its money where its Chrome Web browser is. In a Chromium blog posting Chris Evans and Justin Schuh, two members of the Chrome security team, announced that Google will be offering 'multiple rewards per category, up to the $1 million limit, on a first-come-first served basis' for demonstrated security breaches of Chrome on Windows 7 .

That may be the safer bet than it sounds. Chrome, while not bullet-proof, is widely regarded as the more secure of the Web browsers. In CanSecWest Pwn2Own hacker contests, Chrome has never been broken.

In Google's security challenge, which is not connected with 2012's Pwn2Own competition, Google is looking for “full end-to-end exploits.” That way, “not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”

So, “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.” Here are the rule for the Chrome exploit competition:

$60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

All winners will also receive a Chromebook.

We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.

Gentleman, sharpen your hacking skills and get to work now!

Google will be running this content on its own at the CanSecWest security conference in Vancouver on March 7th to 9th, the Pwn2Own venue, but independently of the Pwn2Own contest. Google is doing this because .”We discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.”

In a twitter note from the Pwn2Own contest organizer and sponsor, HP TippingPoint's, Zero Day Initiative (ZDI) “To clarify, if a team demonstrates 0day at#Pwn2Own2012, but doesn't end up as a winner, the vuln is still theirs and will not be reported. "

The split between Google and SPI doesn't appear to be hostile. Aaron Portnoy, Manager of the Security Research Team at TippingPoint Technologies who the man responsible for reverse engineering vulnerability submissions to ZDI, tweeted, “Nice to see over that after 5 years of the@Pwn2Own_Contest vendors are finally stepping up and offering big $ for vulns.

Still, while there has been a partings of the way, hackers will now have both Google's million dollars to compete with and Pwn2Own's own one-hundred-thousand plus worth of prizes to strive for. May the best hacker win!

Related Stories:

CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

Review: Chrome 17, faster than ever, more secure than ever.

Google working on strong password generator for Chrome

How do you use your browser's 'porn mode'?

Google Chrome gets another security makeover

Topics: Security, Google, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Just a comment

    But I had Chrome compromised at home and hit me with a fake AV recently. Chrome restarted as I was browsing a site and then wanted to launch java and flash with admin prvileges. I kept telling it no, restarted, and it continue to do so. I had a very recent backup so it wasn't a big deal. I went ahead and gave java admin rights, since it appeared to want to update, and it managed to remove the Windows Firewall Service and some encryption services. Nasty little bug.

    The moral of the story is that the Windows security with UAC stopped it from completely infecting my machine until I allowed it to elevate. That's clearly a Chrome exploit. Has it been fixed? Probably. But Chrome isn't perfect. And this isn't a comment on other browsers nor has it caused me to forsake Chrome. The same exploit may have had an impact on IE9. It also shows Chrome is popular enough that people are starting to target it. Safe browsing habits and caution are still the most important aspects of security for your average user.
    • None of the web browsers sandbox Java

      Just another reason why running as a standard user (and not in the default account) makes sense for Windows Vista/7. As a standard user, one would have to enter their Admin credentials for the exploit to run. This is why most enterprise Windows sysadmins disable the UAC prompt for authentication (but, not UAC itself) for their end users running in standard user accounts. Most exploits get stopped in their tracks this way.

      [i]I went ahead and gave java admin rights, since it appeared to want to update[/i]

      It appears that there was a bit of social engineering too. Just curious, was your JRE up-to-date at the time?
      Rabid Howler Monkey
  • Ditto

    @ liquid learner +1 I recently had one remove MSE and turn off firewall but windows security saved the OS as well
    preferred user
  • Security "breeches"?

    "...Google will be offering ???multiple rewards per category, up to the $1 million limit, on a first-come-first served basis??? for demonstrated security breeches of Chrome on Windows 7 ."

    "Security breeches"? You mean, like, browser underpants?
  • Hmm Why only for Windows 7?

    Doesn't Chrome offer the same kind of security on all Windows Platforms? XP, Vista, Win 7, etc.?
    • RE: Hmm Why only for Windows 7?

      Windows 7 is the latest and greatest version of Windows. Windows XP is 10 years old and does not support modern security features such as integrity levels and ASLR, both of which are supported on Vista and 7.

      My question is why only Windows? Google's Chrome web browser also runs on Macs. And it's sandboxed on Macs too.
      Rabid Howler Monkey
      • RE: Hmm Why only for Windows 7?

        Google dislikes Apple from what I have noticed more recently, maybe they want Safari to play catch-up.
  • Errrr.....

    Unsure how you can categorize Chrome browser as secure. Last SANS newsletter listed something like 13 vulnerabilities [7 high] and 2 weeks prior it had another [something like] 20 vulnerabilities. In the same period, IE had 4, Firefox and Opera had minimal amounts as well.
    So 33 vulnerabilities within a month is secure?

    Oh. Chrome is using the "contest" and limiting it to Windows 7 because Windows 7 is far secure than previous versions [so some odd vulnerability in older OS won't affect them].
  • WoW great spin SJVN

    So Google is pulling out of an independent contest that would show up its insecure browser and instead instituting a limited contest it controls where it can pay off particpants.

    I notice also that you get a Chromebook for a prize. What's second prize? - 2 Chromebooks?

    Your unashamed love of this advertising company is getting a little embarassing ;-)
    • Third prize is you're fired.

      Love the part about the prizes, lol
      • Fired? They're not Apple.

        Apple is the only company I know of attacking someone for telling them about security issues...
    • You're accusing HIM of spinning it?

      "In CanSecWest Pwn2Own hacker contests, Chrome has never been broken."

      Did you miss that sentence when you called it insecure? Also, it's not "insecure," it's "unsecured." Chrome is by far the most secure browser out there, which is why Google is the only company willing to put their money where their mouth is. I'm not sure who you are a fan of (I'm guessing Apple), but most other browsers are a joke compared to Chrome in terms of usability and security.
    • Google got burned by VUPEN last May (2011) ...

      when VUPEN successfully breached Chrome and refused to provide Google with the details. VUPEN did, however, publicize their success with variations of [i]we are legion[/i].

      Google appears to be saying "fool me once shame on you, fool me twice shame on me".
      Rabid Howler Monkey
  • Now, if it just worked as well as the other browsers

    Well, being secure is great, but if I remember in the security world one of the legs is availability. Since half the time I hit a normal web site, Chrome doesn't display the videos or some other multimedia correctly, and other browsers do display correctly, I'd say that Chrome is only partially secure.

    They might not be able to crack it easily, but if the web sites don't work people will go back to the browsers that display properly.

    Nice try but only half the equation.
  • Who Cares!

    I like my IE. Google should stick to what they know....advertising!
    • I am guest white hat hackers care.

      The person that can win up to a million dollars care.
  • spy on the hackers?

    "All winners will also receive a Chromebook."

    How pathetic... so this is going to attract serious hackers by offering them a tool which Google will use to spy on their activities? Come on..
    • A Chromebook does make sense, though ...

      ... as Google's Chrome browser is central to their challenge at CanSecWest 2012. What will attract the hackers is the prize $ that Google is offering.

      The hackers can spend the rest of the year trying to breach the Chrome browser running on Google's customized Linux.
      Rabid Howler Monkey