Google's Chrome browser hacked twice in one day

Google's Chrome browser, which has been untouchable in the past two Pwn2Own challenges, was the first to be compromised this year at CanSecWest 2012.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

First, a French company of hackers, Vupen Security, took down Chrome in the first five minutes of the competition designed to help software developers address potential breaches.

Although Chrome was the first to be taken down, the Vupen Security hackers admitted it was a directed effort. They also admitted Google's Chrome web browser was the most secure, according to US reports.

Vupen co-founder and head of research Chaouki Bekrar said it was not easy to create a full exploit to bypass all the protections in the sandbox. Bekrar added that Chrome is one of the most secure browsers available.

Vupen, which controversially sells software vulnerabilities it discovers to government spy agencies, used two previously unknown vulnerabilities to beat Chrome's security.

Second, Chrome researcher Sergey Glazunov earned a quick $60,000 for an attack that bypassed the Chrome sandbox using only code native to Chrome in Google's alternative "Pwnium" contest.

Google withdrew sponsorship from the Pwn2Own contest this year due to a change in the rules, which allows contestants to enter Pwn2Own without having to reveal full exploits. Instead, Google created Pwnium, with up to $1m in prize money in exchange for full disclosure.

Less than 24 hours after congratulating Glasunov for his work, Google had updated Chrome’s stable channel to version 17.0.963.78 on Windows, Mac and Linux to patch the vulnerabilities used.

Vupen, however, said it will keep details of how it bypassed Google's sandbox technology private – "for our customers" – according to The Telegraph.