- 20 August 2012 11:36
Google announces Pwnium 2, raises prize money for Chrome hack to $2m
In March this year we wrote about Pwnium, Google's "hack the Chrome browser for money" competition run at the CanSecWest conference.
Two winners took home $60,000 each after crafting devious, multi-stage attacks against the Mountain View browser.
If you fancy a prize, you've got just under two months to get your exploit ducks in a row - not a terribly long time, if the complexity of the previous winning entries is anything to go by.
There are a few changes from March.
The prize money goes up from $1m to $2m - perhaps a bit of a media stunt by Google, since last time only 12% of the prize money was actually claimed.
The prize categories are adjusted from $20k-$40k-$60k for low-medium-full exploits to $40k-$50k-$60k. As Google explains:
[W]e've compressed the reward levels closer together for Pwnium 2. This is in response to feedback, and reflects that any local account compromise is very serious. We're happy to make the web safer by any means - even rewarding vulnerabilities outside of our immediate control.
The final prize change is that instead of presenting every winner with a Chromebook, Google will present the writer of the best exploit with the Acer laptop used as the standard test platform during the competition.
(That's doesn't seem like much of an endorsement for Google's Chromebook devices - dedicated netbook-type computers that aren't an awful lot more than a walled-off browser lashed to Google's cloud apps. Can't even give the jolly things away.)
What I've referred to as low, by the way, means an exploit that relies entirely on vulnerabilities outside Chrome itself; medium means that some non-Chrome bugs were combined with a Chrome flaw; and full means that only bugs in Chrome were exploited. You need to achieve what Google calls "Win7 local OS user account persistence" for your attack to qualify as an exploit.
Local OS means you're running as a regular application, so you've escaped the limitations of running inside the browser; persistence means you'll keep running even after the browser exits and the computer is rebooted; and user account means you don't need to get all the way to administrator privilege.
Loosely speaking, that means your exploit would be perfect for a drive-by malware attack that would leave the computer infected inconspicuously and indefinitely.
Your exploit, of course, needs to be what is known as zero-day - Chrome and the surrounding OS will be fully patched when the competition opens.
Sign up now »
A data security breach is every organisation’s worst nightmare. It impacts the relationship with your employees, erodes the trust with your customers and threatens your organisation’s reputation
iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.
- AusCERT 2013: Users, cats more likely hack culprits than cyber-espionage: Trustwave
- AusCERT 2013: Home-electronics gear’s UPnP as insecure in Australia as rest of world: Metasploit
- AusCERT 2013: Big data skills help beat the bad guys, says HP
- Growing mobile malware threat swirls (mostly) around Android
- In pictures: AusCERT 2013 Day One