Google's Chrome browser hacked twice in one day
Google's Chrome browser – untouchable in the past two Pwn2Own challenges – was the first to be compromised at CanSecWest 2012

Google's Chrome browser, which has been untouchable in the past two Pwn2Own challenges, was the first to be compromised this year at CanSecWest 2012.



The importance of web security
Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.
First, a French company of hackers, Vupen Security, took down Chrome in the first five minutes of the competition designed to help software developers address potential breaches.
Although Chrome was the first to be taken down, the Vupen Security hackers admitted it was a directed effort. They also admitted Google's Chrome web browser was the most secure, according to US reports.
Vupen co-founder and head of research Chaouki Bekrar said it was not easy to create a full exploit to bypass all the protections in the sandbox. Bekrar added that Chrome is one of the most secure browsers available.
Vupen, which controversially sells software vulnerabilities it discovers to government spy agencies, used two previously unknown vulnerabilities to beat Chrome's security.
Second, Chrome researcher Sergey Glazunov earned a quick $60,000 for an attack that bypassed the Chrome sandbox using only code native to Chrome in Google's alternative "Pwnium" contest.
Google withdrew sponsorship from the Pwn2Own contest this year due to a change in the rules, which allows contestants to enter Pwn2Own without having to reveal full exploits. Instead, Google created Pwnium, with up to $1m in prize money in exchange for full disclosure.
Less than 24 hours after congratulating Glasunov for his work, Google had updated Chrome’s stable channel to version 17.0.963.78 on Windows, Mac and Linux to patch the vulnerabilities used.
Vupen, however, said it will keep details of how it bypassed Google's sandbox technology private – "for our customers" – according to The Telegraph.
Start the conversation
0 comments