Google's Chrome browser hacked twice in one day

• Published: 09 Mar 2012 8:45

Google's Chrome browser, which has been untouchable in the past two Pwn2Own challenges, was the first to be compromised this year at CanSecWest 2012.

First, a French company of hackers, Vupen Security, took down Chrome in the first five minutes of the competition designed to help software developers address potential breaches.

Although Chrome was the first to be taken down, the Vupen Security hackers admitted it was a directed effort. They also admitted Google's Chrome web browser was the most secure, according to US reports.

Vupen co-founder and head of research Chaouki Bekrar said it was not easy to create a full exploit to bypass all the protections in the sandbox. Bekrar added that Chrome is one of the most secure browsers available.

Vupen, which controversially sells software vulnerabilities it discovers to government spy agencies, used two previously unknown vulnerabilities to beat Chrome's security.

Second, Chrome researcher Sergey Glazunov earned a quick $60,000 for an attack that bypassed the Chrome sandbox using only code native to Chrome in Google's alternative "Pwnium" contest.

Google withdrew sponsorship from the Pwn2Own contest this year due to a change in the rules, which allows contestants to enter Pwn2Own without having to reveal full exploits. Instead, Google created Pwnium, with up to $1m in prize money in exchange for full disclosure.

Less than 24 hours after congratulating Glasunov for his work, Google had updated Chrome’s stable channel to version 17.0.963.78 on Windows, Mac and Linux to patch the vulnerabilities used.

Vupen, however, said it will keep details of how it bypassed Google's sandbox technology private – "for our customers" – according to The Telegraph.