Hacking Google's Chrome browser can pay, and Google is eager to foot the bill. As part of an annual hacking contest, the company is offering a special reward of $20,000 and a Google Chrome Cr-48 notebook for a successful break-in.
The rules are straightforward. The hack will have to be accomplished on a Chrome web browser on the most recent, 64-bit version of Windows 7 or Mac OS X. A "sandbox escape," which will combine the Chrome flaw with another one to affect the computer's system, must be included. According to the rules, the contestant must "pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code." Plug-ins, other than PDF, cannot be used.
$125,00 in Cash Prizes
The PWN2OWN contest will run from March 9 to 11 and will be featured in the CanSecWest Applied Security conference in Vancouver. The full Google prize is only available on the first day of the conference, and each contestant will have 30 minutes. If the hack takes place on later days, the price is $10,000 from the contest sponsor for a non-Google code sandbox escape, and $10,000 from Google for a Chrome-specific bug.
There are also challenges at the conference to hack Apple's Safari, Microsoft's Internet Explorer, or Mozilla Firefox browsers, also running on either 64-bit Windows 7 or Mac OS X. The PWN2OWN contest is organized by The HP TippingPoint Zero Day Initiative, a program for "rewarding security researchers for responsibly disclosing vulnerabilities."
The Zero Day Initiative purchases all the winning vulnerabilities, hands them over to the vendors affected, and publicly discloses the information.
PWN2OWN is now entering its fifth year, and there are cash prizes and bounties in the non-Chrome competitions. Successful IE, Safari or Firefox hacks are rewarded with a $15,000 prize plus a laptop and ZDI reward points for additional bonuses.
In all, there are $125,000 in cash prizes, an increase of $25,000 over last year. HP TippingPoint is funding $105,000, and Google the rest. Laptop prizes include a Sony VAIO, an Alienware m11x, and an Apple MacBook Air 13-inch, in addition to the Google Cr-48.
ZDI is managed by HP TippingPoint, whose Digital Vaccine (DV) Labs is an Austin, Texas-based research organization for vulnerability analysis and discovery. DV Labs develops filters for vulnerabilities validated by ZDI. CanSecWest is an annual conference that focuses on applied digital security.
But browsers aren't getting all the fun. The contest also includes mobile phones, with attempted attacks conducted via a base station on site.
For the mobile-phone section of PWN2OWN, four target devices have been chosen -- the Dell Venue running Windows 7, the iPhone 4 with iOS, the BlackBerry Torch 9800 using BlackBerry 6 OS, and the Android-based Nexus S.
The rules state the hack must "require little or no user interaction and must compromise useful data from the phone." Attacks that could incur authorized cost, such as silently calling long-distance numbers, are acceptable.