Sign up FAST! Login

Guy Takes Home $225,000 From Pwn2Own Hacking Competition

All four major browsers take a stomping at Pwn2Own hacking competition Ars Technica


The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.

A teenaged hacker named Pinkie Pie breaks out of Chrome's security sandbox.

The crowning achievement came Thursday as contestant Jung Hoon Lee, aka lokihardt, demonstrated an exploit that felled both the stable and beta versions of Chrome, the Google-developed browser that's famously hard to compromise. His hack started with a buffer overflow race condition in Chrome. To allow that attack to break past anti-exploit mechanisms such as the sandbox and address space layout randomization, it also targeted an information leak and a race condition in two Windows kernel drivers, an impressive feat that allowed the exploit to achieve full System access. "With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000," Pwn2Own organizers wrote in a blog post published Thursday. "To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration."

Despite huge leaps in secure code, nothing is immune when hackers are motivated.

Lee also hacked the 64-bit Internet Explorer 11 with a time-of-check to time-of-use exploit that achieved read/write privileges. To bypass Windows defenses, he unleashed a sandbox escape through privileged JavaScript injection. The hack earned him $65,000. Lee also took down Apple's Safari browser with a use-after-free exploit and a separate sandbox escape. That hack earned him $50,000 and brought his total winnings to $225,000.

Stashed in: Hackers!, Software!, Web Browsers, Google FAIL

To save this post, select a stash from drop-down menu or type in a new one:

That guy seems incredibly smart to have found those exploits in such a short amount of time. 

You May Also Like: