Google patches $60k Chrome hole in 10 hours

Google patches $60k Chrome hole in 10 hours

Summary: Google has fixed a hole with its Chrome browser that allowed a security researcher to escape the sandbox and execute code on a machine, earning the white hat hacker a $60,000 bounty.

TOPICS: Security, Browser, Google

Google has fixed a hole in its Chrome browser that earned a white hat hacker $60,000 at the recent Pwnium 2 hacking contest.

The company released the fix for the vulnerability on Wednesday, around 10 hours after it was revealed at the Pwnium competition at 'Hack in the Box 2012' contest in Kuala Lumpur, Malaysia on Tuesday. The hacker — who goes by the name of 'pinkie pie' — found the vulnerability in the browser by combining two separate exploits, and netted a cool $60,000 for his discovery, as well as a free Chromebook.

"We're happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox," Chris Evans, a Chrome engineer, confirmed on the Chromium blog.

"Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a full Chrome exploit," he added.

In response to the disclosure, Google immediately got to work on patching the issue and put out a patched version of the browser less than half a day after the publication of the flaw.

This isn't Pinkie Pie's first success in breaking out of Google Chrome's sandbox; in March, he managed to combine six different exploits to break out of the sandbox and execute code. This hole was later patched with the release of Chrome 18.

Topics: Security, Browser, Google

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nice

    This is how we can keep hackers busy is offer rewards for finding the holes, so that they can be patched. Hackers look for the holes to make money and thus spend less time making exploits that can damage systems.
    • Except being unscrupulous is still more profitable, usually.

      Rewards like this aren't really tempting criminals from a life of crime, as exploiting a big enough hole is usually more lucrative than any payout. What this IS good at is as an incentive to get more honest people into white hat hacking.
    • An obscure hole in a browser fixed? Thats nice.

      I guess I should say thats VERY nice.

      Does this mean in any way shape or form Chrome is insecure?

      Nope. Not even a little bit.

      I got sick to death years ago of the Windows and IE haters making a big deal out of crap like this, and Im just as sick about hearing about it in reference to Chrome, Safari, IE or Firefox, so if anyone is going to crow that Chrome has another flaw, well, here is one very long term web surfer who couldnt give a rats behind.

      So long as the story and responses are kept in a reasonable realm of reality…all good.
  • Probably not too many bronies here...

    ...but for some reason imagining Pinkie Pie as a super secret hacker in her spare time amuses me.
    • Ha!

      We agree on that.

      Pinkie Pie is best hacker. *nod*
      Michael Alan Goff
  • Great idea....

    I think this whole thing is a great idea, especially from Google.

    There's lot of hackers out there who are going to get the message that there's legal, risk-free ways to make huge amounts of money putting their skills to use.

    It's a fantastic way to keep them busy and let them know they're appreciated.