Pwn2Own hacker earned $916 a second for pounding Chrome, but all big browsers busted

It's win-win. Security researchers busted major web browsers during Pwn2Own to collect bounty payouts of $557,500, and vendors will make users safer when they patch the hackable flaws in Firefox, Internet Explorer 11, Chrome, and Safari.

Credit: Miran Rijavec

Imagine earning $916 a second for period of two minutes. That's what one security researcher raked in during the Pwn2Own contest at the CanSecWest security conference in Canada. South Korean security researcher JungHoon Lee, aka lokihardt, walked away from Pwn2Own with $225,000 and the laptops he used to exploit the browsers. That's an exceptionally impressive haul. Especially impressed with Lee's hacking prowess, the Pwn2Own organizers noted, "There are times when 'Wow' just isn't enough."

It's not too surprising that all the major web browsers fell from grace, as hacking them seems to be what happens at the annual Pwn2Own competition. Yet in 2015, Lee succeeded in earning the single highest payout in the history of Pwn2Own; $916 a second, or $110,000 in a mere two minutes.

$240,000 awarded on day two of Pwn2Own

On day two of beating up browsers, Lee stepped up to the plate for the first of his three targets. He hit a home run by exploiting a 64-bit version of Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) weakness, which gave him read/write permission, and bypassed security defenses with a sandbox escape through privileged JavaScript injection. Lee walked away with $65,000 for his medium-integrity code execution.

Next, Lee showed how to take out both the stable and beta versions of Google Chrome. "He leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access," wrote Dustin Childs on the HP Security Research blog. "With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000."

The third time Lee took aim at Apple Safari, hacking it through a use-after-free (UAF) vulnerability in an uninitialized stack pointer and managing to execute his code outside Safari's sandbox. He earned $50,000 for busting Apple's browser and a grand total of $225,000 in just one day.

HP Security Research Zero Day Initiative gives contestants, both teams and individuals, 30 minutes to exploit fully patched browsers. Another security researcher, ilxu1a, also worked alone on day two of Pwn2Own. He hammered Mozilla's browser before you could even yell out a "Yo, Firefox" warning. Blink and you would have missed it, as ilxu1a needed less than one second to exploit an out-of-bounds read/write vulnerability, which resulted in a medium-integrity code execution. He walked away with $15,000 for the bug.

Although ilxu1a also planned to pummel Chrome, he had some issues with his info leak and ran out of time. However, when considering just the pwnage by these two individual competitors on day two of the hackfest, they walked away with $240,000.

$317,500 awarded on first day of Pwn2Own

On day one of Pwn2Own, research teams and individuals walked away with a total of $317,500 for successfully attacking Adobe Flash, Adobe Reader, Firefox, IE 11 and Windows. Based purely upon time, Mariusz Mlynski had the most impressive performance by busting the Firebox browser in .542 seconds for privilege escalation, which allowed him to pwn Windows as well.

Almost immediately following Pwn2Own, Mozilla fixed the Firefox vulnerabilities demonstrated during the competition by releasing build 36.0.3.

In all, $557,500 in bounty was paid out to researchers. Windows operating system was hammered with five bugs and four more flaws were exploited in Microsoft's Internet Explorer 11. Mozilla Firefox, Adobe Flash and Adobe Reader each had three vulnerabilities. The hackers exploited two holes in Apple Safari and one in Google Chrome.

Zero Day Initiatives hands the exploits over to the vendors; those exploits will be made public after the vendors have a chance to patch the holes in their browsers.

Cybersecurity market research: Top 15 statistics for 2017