Two simultaneous browser security hacking challenges ended late Friday with a dramatic conclusion. More than $1 million in security awards had been put up for hackers to claim at Google’s Pwnium and HP TippingPoint’s Pwn2Own challenges, both held at the CanSecWest security conference in Vancouver. But the vast majority of that prize money went unclaimed, despite several last-minute successful hacks.
The drama in both contests came right down to the wire.
The Google Pwnium security contest was supposed to end at 2:00 pm PT on Friday, nearly three days after the contest’s kickoff. At 1:47 pm PT, with only thirteen minutes left in the contest, a teenage security researcher stepped up to the plate to attempt a full Chrome hack. Three hours later, Google officially confirmed that the young researcher, working under the alias “PinkiePie,” had fully “pwnd” Chrome with three exploits. For his efforts, PinkiePie was awarded $60,000.
While PinkiePie’s exploit was officially confirmed late Friday, Google apparently wasted no time in rushing to fix the flaw. Saturday afternoon, Google updated their browser to Chrome stable 17.0.963.79 fixing the PinkiePie flaw. PinkiePie’s flaw was officially reported by Google to be an “Errant plug-in load and GPU process memory corruption.”
The PinkiePie exploit was only the second submission for the Pwnium 2012 event. On the first day of the contest, researcher Sergey Glazunov claimed the first $60,000 prize. Glazunov’s flaw was officially identified by Google as being a cross-site scripting and bad navigation flaw.
While Google did pay out $120,000 in awards at the Pwnium event, they had offered as much as $1 million in payouts — yet only two researchers came forward, leaving $880,000 on the table.
Pwn2Own Pays Out $90,000 in Awards
Also at CanSecWest, organizer HP TippingPoint had originally set aside $105,000 in prize money for the Pwn2Own event. As Friday drew to a close, $90,000 of that money had been claimed — leaving $15,000 on the table with no researchers stepping up to claim third place. The top point scorer was awarded $60,000 and second place was awarded $30,000. Third place had been allocated to get $15,000.
The Pwn2Own 2012 event took a different approach than in previous years. Rather than simply award prizes to researchers for browser exploits, contest organizers implemented a points system to determine winners. Security firm VUPEN was the top point scorer with 123 points, 64 of which came from zero-day exploits. VUPEN successfully exploited both Chrome and Microsoft Internet Explorer.
In contrast to the Pwnium Chrome flaws, the VUPEN chrome exploits have not yet been patched by Google. The reason: HP TippingPoint is only officially handing over the bugs this week.
The only other contestant in Pwn2Own 2012 was the team of Willem Pinckaers and Vincenzo Iozzo. At 3:52 PM PT on Friday, the Pwn2Own contest organizers officially announced that Pinckaers and Iozzo had successfully demonstrated a zero-day flaw in Firefox. In the final tally, the Pinckaers and Iozzo team scored 66 points, placing second in the contest.
Unlike in previous years’ Pwn2Own events, no researchers attempted any exploits against Apple’s Safari browser.