The Google Chrome Security Team made the offer to hackers the world over: come to CanSecWest security conference, have a crack at finding Chrome exploits, win $60,000 if you succeed. A part of the Chromium Security Rewards Program, the contest is Google’s open-invitation to hackers to help Google identify exploits in the Chrome browser, which is based on the open-source project Chromium.
That challenge was met with vigor but one Russian university student successfully hacked into a fully patched computer running Windows 7 (64-bit) by using a Chrome sandbox bypass. Sergey Glazunov, a security researcher and long-time Chromium contributor, collected the hacker bounty by being the first entry to locate a “full Chrome exploit.” Justin Schuh, a Chrome security team member, spoke to ZDNet following Glazunov’s triumph, calling the hack “very impressive.” He said Glazunov “executed code with full permission of the logged on user.”
“This is not a trivial thing to do,” Schuh added. “It’s very difficult and that’s why we’re paying $60,000.”
Senior Vice President of Google Chrome and Apps, Sundar Pichai, confirmed the successful hack on his Google+ page. Now that the hack is known throughout the developer world, Pichai understandably said, “We’re working fast on a fix that we’ll push via auto-update.”
Google’s always boasted that their browser, Chrome, is of top-notch security standards but this excellence makes it harder for Chrome developers to actually improve the platform. No known problems, nothing to really fix, right? The Chrome Security Team explains on their blog,
While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve. To maximize our chances of receiving exploits this year, we’ve upped the ante.
While Glazunov is only the first to achieve the $60,000 prize, he by no means is meant to be the last. Google has said they will award prizes on $60,000, $40,000, and $20,000 levels based on various levels of exploits that hackers can successfully locate in Chrome. Google has said it will award up to a total of $1 million for all winning entries.