JUST IN: Microsoft to open source more of .NET, and bring it to Linux, Mac OS X

Teenager hacks Google Chrome with three 0day vulnerabilities

Topic: Browser

Teenager hacks Google Chrome with three 0day vulnerabilities

Summary: "Pinkie Pie," who asked to remain anonymous because he had not been authorized by his employer to participate in the contest, said he chained three different vulnerabilities to build an exploit to escape the Chrome sandbox.

Ryan Naraine
SHARE:
TOPICS: Browser, Apps, Google, Security
21

A teenage hacker who goes by the "Pinkie Pie" handle has hacked into Google Chrome using three distinct zero-day vulnerabilities to evade the browser's protective sandbox.

The exploit was used as part of Google's Pwnium hacker contest and earned the researcher the maximum $60,000 cash prize.

follow Ryan Naraine on twitter

"Pinkie Pie," who asked to remain anonymous because he had not been authorized by his employer to participate in the contest, said he chained three different vulnerabilities to build an exploit to escape the Chrome sandbox.

A Google spokesman on site confirmed the winning exploit. He said the company's security response process would kick in immediately to push out a patch.

"We have a team standing by waiting for this.  We have three different teams working on putting together the fix, building a patch and releasing it for our customers," he said.

[ SEE: How Google set a trap for Pwn2Own exploit team ]

While "Pinkie Pie" was previously unknown to onlookers here, Googlers described him as a "known and respected security researcher."

In an interview after successfully launching the drive-by download exploit, Pinkie Pie said he worked for about one-and-a-half weeks to find the vulnerabilities and write a reliable exploit.

The exploit worked on a fully patched Windows 7 machine (64-bit) and did not require any user action beyond normal web browsing.

Pinkie Pie has never submitted a vulnerability report to Google and created this multi-stage attack specially for the Pwnium contest.

He said he never considered selling the vulnerability to third-party brokers.  "I've never sold a vulnerability before."

Strangely, which sandbox escapes are rare, Pinkie Pie said the easiest part of his attack was jumping out of the Chrome sandbox after the initial exploit.

"I got lucky because I found a way [to jump out of the sandbox] very early.  I figured it out by looking at it carefully," he added.

He declined to discuss specifics of the vulnerabilities or the exploit techniques, deferring comments to Google representatives.

ALSO SEE:

  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover

    • Topics: Browser, Apps, Google, Security

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    21 comments
    Log in or register to join the discussion

    • I'm shocked, shocked I tell you, to hear that there's another chrome

      security hole. The chrome fanbois said that the sandbox couldn't be broken out of. One teenager, one week, three zero days, one driveby exploit. What happened to the many eyeballs?
      Johnny Vegas
      Reply Vote

      • Umm...

        This *is* the many eyeballs principle in action. He was able to find the flaws by looking at the code.
        masonwheeler
        Reply Vote

    • Why Fellow Brony?

      I honestly don't care if you hack Google chrome, but why did you have to do it as Pinkie Pie? Please don't take the name from the ponies. Any other name but Pinkie Pie, hell, even Gilda or Trollestia. Pinkie will hate you FOREVERRRRRRRRRRRR. (any one who reads this and doesn't understand, just Google MLP FiM or Bronies)
      Da_Rock_1119
      Reply Vote

      • Misunderstanding

        You seem to be confused. Hacking is not always a bad thing, especially in this context. He is a white hat hacker, a person that finds security vulnerabilities and reports them to the company so they can fix it before bad hackers can take advantage of it.
        pcdude2143
        Reply Vote

      • Confused

        Why? This is awesome.

        He isn't hacking for personal gain (Aside from the prize money), he is a security researcher who hacks things to expose weaknesses that the companies can then fix and prevent other hackers with similar skill but less noble goals from exploiting. If you had actually read the article...

        This paints bronies (And Pinkie) in a GOOD light, and considering how much the media tends to misrepresent us, we should take what positive press we can get.
        Xeddrief
        Reply Vote

      • You missed a bit.

        Ha Ha you Don't get it do you? He's a computer security analyst, This kind of thing is a day job. Plus this contest was the most white knight thing you can get. He harnessed the 4th wall Breaking power's of his namesake to find security holes in Google's product and then submit his findings back to google so they can fix them.
        Nintyuk
        Reply 1 Vote

      • lol

        That homophobic! but pinky can also be a good Trojan Horse
        Alexander Villalba
        Reply Vote

    • Pinkie Pie

      has all the cheat codes enabled
      ahumeniy
      Reply 1 Vote

    • Where are Linux Geek and Deitrich?

      They should be on here claiming how this is MicroSofts fault and not google's/
      hopp64
      Reply Vote

      • You ever notice

        they are conspicuously absent from articles like this... no sort of "MS must die because they are better" or "Linux is the best I'll stake my reputation on it" quotes... just tumbleweeds and the sounds of crickets....
        athynz
        Reply 1 Vote

    • Wow

      ASLR and DEP fall yet again. Forget the browsers. We all knew they have holes - we get browser vulnerability patches all the time, so that's no surprise. Of course, Microsoft's IE browser has proven to be 'unique' among browsers where vulnerabilities are concerned. Even now, Microsoft is still patching vulnerabilities introduced with IE6 in 2001 which are still present in 'modern' IE9 and IE10. Now [i]that's just scary.[/i]

      What's interesting is that the much touted Windows ASLR and DEP mitigations have fallen more times than any individual browser! These hackers are destroying those mitigations at will, like a knife through butter. Looks as if ASLR and DEP may actually have just as many holes as your typically browser, yet I don't recall ASLR and DEP vulnerabilities being discovered and patched monthly as is the case with browser holes. I guess that's what happens when you don't have enough people looking closely at your code. You can't fix what you can't find, and that allows users to get a false sense of security when they see low vulnerability counts.
      eMJayy
      Reply Vote

      • Well yeah...

        If you understand how programming works on the low levels, it's immediately obvious that ASLR is nothing but "security theater." It doesn't prevent any attacks; it just moves the target around a little, making it slightly more complicated to make the attack work.
        masonwheeler
        Reply Vote

      • Dep/ASLR were not invented by MS

        DEP/ASLR were not the brainchild of MS. In fact, ASLR was invented by an independent team of open-source programmers (the PaX team) and first tested on Linux back in 2001. The PaX implementation is still the most robust on any platform.

        I always find it funny when people credit MS with those technologies. Microsoft simply stole it like they do everything else.
        KodiacZiller
        Reply Vote

    • Just wondering..

      " Pinkie Pie, who asked to remain anonymous because he had not been authorized by his employer to participate in the contest"

      Or was it really because he 'borrowed' some of the zero day exploits from his employers?
      boycottFUD
      Reply Vote

    • Pinkie Pie for President!

      Okay, maybe not President ... but kudos to "him" for doing things the right way. He found the vulnerability, exploited it to earn some prize money, but didn't breath a word to anyone but Google, so that they can fix it.

      The world needs more Pinkie Pies!

      Maybe if more companies paid folks when they report real vulnerabilities .... ?
      jscott69
      Reply Vote

    • Just

      More covering up of Goo#le's browser weaknesses!!!
      eargasm
      Reply Vote

    • This is not how you write secure code!

      ???We have a team standing by waiting for this."

      Come on, this is not how one writes secure code! No code is becoming more secure by reacting to vulnerabilities found by others --- one has to design and write the code that it cannot be exploited.
      danbi
      Reply Vote

    • AND YOU IMAGINE IF. . . .

      There were no hackers, spammers, trojans or viruses?
      All the software in the world be BLOATED big time.
      .
      Maybe SOME hacking is a good thing?
      .
      fm-usa
      Reply Vote

    • Pinkie Pie is an expert fourth wall breaker.

      Pinkie Pie is notorious for breaking the fourth wall in MLP FIM. In this case the fourth wall of the google sandbox. Right on fellow Brony!
      VictorDaworker
      Reply 1 Vote

    • Made me think my fellow brony. XD

      This >>> http://www.youtube.com/watch?v=J9_HWJ9rsw4

      But on the good side...

      What do you need to know to become a white hat? Reading code? Memory? making downloads?
      Tedd Mamuyac
      Reply Vote