February 4, 2011

Google Offers $20,000 To Hack Chrome

Google is offering $20,000 in prize money for the winner of the annual Pwn2Own hacking contest on top of the $15,000 already promised.

Any contestant who is first to successfully exploit its Chrome browser during the contest will be rewarded the prize money.

Chrome was originally going to be excluded from this year's competition because it is based on the same Webkit engine that runs another Pwn2Own entry, Apple's Safari browser.

"It shows a mature attitude to the problem because they (Google) know that the actual release of the information is something that just makes the thing stronger," Dragos Ruiu, organizer of the CanSecWest security conference, which hosts the contest, said in a statement. "It gets rid of vulnerabilities. Most of the vendors I talk to are like, 'Well, do you have to put that in?'"

Chrome was the only browser entered that did not take a beating during last year's event.  Other browsers all succumbed to exploits that allowed them to be remotely commandeered.

Last year, researchers said the security sandboxing buttressing the Google browser was so hard to defeat that successful exploits were worth more than the $10,000 available for each browser hack.  Google has since paid over $14,000 in bounties to researchers who uncover security bugs in the browser.

However, in the 12 months that have intervened, the technology has become less exotic as software makers like Adobe have added sandboxing to the repeatedly-abused Reader app and researchers have found ways to bypass the protection.

"Honestly, I can't see them not getting hacked," Ruiu said, referring to Google. "A lot or people have a stake in taking the time and looking at what it takes to trampoline out of a VM-like environment. There are more techniques and people are more willing to discuss those techniques."

Last year's contest paid $10,000 to the first contestant who hacked any of the eligible browsers, including Internet Explorer, Firefox, Safari and Chrome.  It also paid $15,000 for attacks on any one of four major smartphones. 

This year's contest will be mostly the same, except phones running the Symbian operating system have been replaced with those running Windows Phone 7.

Contestants will have the benefit of using a radio frequency isolation booth so they can more directly target the phones' baseband processors. 

The competition will take place March 9th through the 11th in Vancouver.


On the Net: