At the Pwn2own competition in Canada, a group of French hackers were able to bypass Google’s vaunted security features to take control of a Windows PC in less than five minutes.
The result is a reversal of last year’s Pwn2own, when Chrome stood undefeated at the end of the competition.
This year it was beaten by Vupen, a French firm controversial in security circles for selling the software vulnerabilities it discovers to government spy agencies.
“We wanted to show that Chrome was not unbreakable,” the firm’s head of research Chaouki Bekrar told ZDNet.
“Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.”
The hack wins the firm 32 points in the overall Pwn2own competition.
Vupen used two previously unknown vulnerabilities to beat Chrome's security, which is seen as stronger than its rivals Firefox and Internet Explorer because of its use of “sandboxing”. The software, now the world's second most popular browser, effectively runs in isolation from the rest of the operating system. In theory, even if Chrome is hacked the attacker does not gain full control of the machine.
Previously hostile to attempts to discover vulnerabilities in software, major technology firms including Google, Microsoft and Facebook now cooperate with hackers and offer “bounties” for new discoveries.
Mr Bekrar said his team had worked for six weeks ahead of Pwn2own to uncover the vulnerabilities. They had also found ways to hack into Firefox and Internet Explorer, but wanted to demonstrate that Chrome was not unbeatable first.
“It’s not an easy task to create a full exploit to bypass all the protections in the sandbox,” he said. “I can say that Chrome is one of the most secure browsers available.”
Vupen said it will keep details of how it bypassed Google's sandbox technology private "for our customers".
Separate to Pwn2own but at the same Canadian conference, Sergey Glazunov, a Russian student also demonstrated a Chrome hack to claim a $60,000 bounty.
“It was an impressive exploit,” said Justin Schuh of Gooogle’s Chrome team.
“It required a deep understanding of how Chrome works. It’s a very difficult and that’s why we’re paying $60,000.”
Google is working on fast security updates for Chrome to patch the vulnerabilities.
http://www.berniebarlow.com/forum/profile.php?mode=viewprofile&u=60347
http://www.safa.net/forum/profile.php?mode=viewprofile&u=634820
http://bdforums.com/bdf//profile.php?mode=viewprofile&u=131601
http://exscientologykids.com/eskforums/profile.php?mode=viewprofile&u=37051
http://www.critterrunners.com/phpbb2/profile.php?mode=viewprofile&u=614866
http://www.hd-franken.com/phpbb//profile.php?mode=viewprofile&u=85987
http://innovate2succeed.com/phpBB2/profile.php?mode=viewprofile&u=25197