Google awards researcher over $110,000 for Android exploit chain

The bug bounty highlighted serious security issues in the Pixel smartphone.
Written by Charlie Osborne, Contributing Writer
Rob Bulmahn

Google has awarded a total of $112,500 to a security researcher for reporting an exploit chain which could be used to compromise Pixel mobile devices.

The tech giant revealed the technical details of the exploit chain on Wednesday.

In August 2017, Guang Gong from Alpha Team, Qihoo 360 Technology submitted an exploit chain through the Android Security Rewards (ASR) program.

The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904.

The first vulnerability is a V8 engine type confusion bug which can be utilized for remote code execution in sandboxed Chrome render process environments.

The second security flaw is found in Android's libgralloc module and can be used to escape from Chrome's sandbox due to a map and unmap mismatch, which can, in turn, prompt a Use-After-Unmap error.

When combined, the vulnerabilities can be used by attackers to remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

If a user of a Pixel or other Android-based smartphone clicks on such a URL, their devices can be compromised, potentially leading to the download and execution of additional malware payloads, hijacking, and surveillance.

Google says the find is the first working remote exploit chain submitted through the program to date.

Gong was awarded $105,000 for his report, with an additional bonus of $7500 through the Chrome Rewards program.

The vulnerability chain was resolved as part of Google's December security update, which patched a total of 42 bugs.

See also: Bug bounties: 'Buy what you want'

In June 2017, Google increased the ASR payout rewards for remote exploit chain or exploits leading to TrustZone or Verified Boot compromise from $50,000 to $200,000.

The scheme has awarded researchers over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

5 things you should know about VPNs

Previous and related coverage

    HackerOne aims to pay bug bounty hunters $100 million by 2020

    The bug bounty platform predicts that 200,000 vulnerabilities will have been fixed by the same year.

    Bug bounty hunter reveals DJI SSL, firmware keys have been public for years

    Opinion: The researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker's poor security and revealing how not every bug bounty hunt ends well.

    Samsung launches bug bounty program for mobile devices

    Researchers can earn up to $200,000 for disclosing bugs impacting the security of your handsets.

      Editorial standards