Pwnium is in progress and we have a second full Chrome pwn, interestingly by a Teenager who will get $60,000 from Google as announced.The hacker who identified himself only as PinkiePie said he spent the past week and half working on the attack. It combined three previously unknown vulnerabilities to gain full system access to a Dell Inspiron laptop that ran a fully patched version of Chrome on top of the most up-to-date version of Windows 7.
This is the second full attack of Google Chrome during the conference. The first hack was by Sergey Glazunov who also won $60,000 from Google. 5 Chrome vulnerabilities have been found as part of these two hacks and 2 of them have been patched.
While “Pinkie Pie” was previously unknown to onlookers here, Googlers described him as a “known and respected security researcher.” He said he never considered selling the vulnerability to third-party brokers. ”I’ve never sold a vulnerability before.”
Strangely, which sandbox escapes are rare, Pinkie Pie said the easiest part of his attack was jumping out of the Chrome sandbox after the initial exploit.
“I got lucky because I found a way [to jump out of the sandbox] very early. I figured it out by looking at it carefully,” he added. He declined to discuss specifics of the vulnerabilities or the exploit techniques, deferring comments to Google representatives.
So, now we can wait for another patch from the Google team fixing this vulnerability.
For many, this will be a reason to say, “See, Chrome is not as secure as you think” Yes, we have to agree, no software is perfect. But this move from the Chrome team of encouraging security researchers to find vulnerabilities of the browser and patch them before “bad guys” get their hands on them, I must call it “Smart“