Google Chrome pwned in final Mobile Pwn2Own hack

After day 1 saw the compromise of iOS 6 and 7 through Safari and the Samsung Galaxy S4 through Samsung apps, Google Chrome on the Nexus 4 and Samsung Galaxy S4 was fully-compromised. The competition is now over. [UPDATE: The bugs are fixed.]

Google Chrome is the last product to fall in Mobile Pwn2Own 2013, sponsored by HP's Zero Day Initiative. Yesterday, on day 1 of the 2 day competition at PacSec Tokyo 2013, iOS 6 and 7 and the Samsung Galaxy S4  were hacked .

Chrome was taken down by "Pinkie Pie" (no further identification is provided). The attacks were demonstrated first on a Google Nexus 4 and then on a Samsung Galaxy S4.

[UPDATE: Google has already patched the Chrome bugs demonstrated by Pinkie Pie.]

Pinkie Pie won the full $50,000 award for using two vulnerabilities in Chrome, first an integer overflow to get remote code execution, then another unspecified vulnerability which resulted in a full sandbox escape. The vulnerabilities have been reported to Google.

These vulnerabilities would allow an attacker to take full control of the device.

Show Comments