Over $3M in Prizes to Hack Google Chrome

Google's contest at the CanSecWest conference:

Today we’re announcing our third Pwnium competition­Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS.

We’ll issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD:

  • $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
  • $150,000: compromise with device persistence -- guest to guest with interim reboot, delivered via a web page.

We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.

News article.

Posted on February 7, 2013 at 6:35 AM • 11 Comments


JohnJFebruary 7, 2013 7:20 AM

Alternate headline: "A Million Pis for Chrome Crackers"

On a more serious note, when vendors subject their products to scrutiny - in the security arena or otherwise - it is almost always good for consumers.

TLAFebruary 7, 2013 9:22 AM

This will also increase prices to pay by governemental agencies (TLA) buying exploits for Chrome OS, to more that $150000. TLA have an annual objective of 0day exploits to buy, and billions of $.

Result: more people will try to develop exploits of Chrome OS. But Chrome OS won't be safer.

Google's $3141590 cannot compete with them.

Zen DDoS ProtectionFebruary 7, 2013 10:19 AM

Well I do believe that will help a little bit. I doubt that anyone will exploit an updated version of Google Chrome this year, the automatic update with the sandbox makes it very secure.

BTW, in last year Edition, VUPEN hacked into chrome and declined to reveal how they escaped the sandbox. They said they were going to sell the code instead, what happened with the code?

Zen DDoS Protection

BobFebruary 7, 2013 10:34 AM

google chrome itself is a trojan horse. they do lots of nasty things in the name of Update!
if you install any google product just a command from general is enough to spy your machine (as most of people have at least one google product installed like chrome or gmail plugin...)

NickFebruary 7, 2013 12:19 PM

I agree, but look into Kaspersky products when you get some time. And don't forget our 'own' Adobe products.

But Kaspersky database of file hashes from their customers is still one of the coolest file correlation techniques I have seen for off line social network analysis.

Atavia JonesFebruary 7, 2013 6:01 PM

Any sincere commitment to security would mean they offer strong payment regularly, not just with one show where one has to jump through a bunch of hoops to join and get involved with.

The payment I am seeing from these firms is paltry compared to what I see from the government black market. (Which I have never seen is so great, though just from peer talk.)

I do not know about Chrome OS, but the Android OS has some serious weaknesses in it.

If you gain access to the user's Google credentials, you can gain access to their Google Play site where you can force upload from the web remotely whatever programs you wish onto their system.

Google does not encrypt their credentials in their mail application's database -- which is not secured permissions wise.

And they have a lot of sites where someone could steal their cookies. Like one sees with this recent Yahoo hack.
Their main sites are very hard core secured at the web level, but not so with all of their far flung sites of the same domain.

(Their main sites' security is not so secure when combined with certain Android applications.)

I strongly doubt Chrome OS is "all that", and if it was, they would feel confident in offering stronger monetary rewards all the time.

TLAFebruary 8, 2013 2:34 AM

Want to cash in Google's money without actual research ?

(1) setup a chrome OS as a blog server paraphrasing articles about fortune of China's leaders.
(2) firewall any non-http inbound connection with an OpenBSD computer (or other secure computer, see http://www.schneier.com/blog/archives/2013/02/new_york_times_3.html#c1138161 for details).
(3) publish on the blog that you regularily visit english.cri.cn to check that they don't write about it.
(4) increase your visibility through Search Engine Poisoning, comments at NYTimes newspaper, private mail to NYTimes under China's scrutiny, ...
(5) publish the OS version of your blog server.
(6) visit regularily english.cri.cn, and use the OpenBSD box to log all answers.
(7) parse these answers on OpenBSD. This is the difficult step.
(8) sell this 0day exploit to Google.

TLAFebruary 8, 2013 3:35 AM

To make it shorter: setup a honeypot to grab the 0day Google is paying for.

This is nice because this is taking a bug from the black market to the vendor. And this makes money.

The TLA are already making honeypot, but won't sell such 0days to vendors like you may do now.

Nick PFebruary 8, 2013 10:13 AM


Nice ideas. I'll add that it helps to make the target look more interesting. Make it seem like an obscure lab or organization in DOD. Or a company with valuable intellectual property that big Chinese/Russian firms could use. Plant some connections between the fake site and a real one they're probably reading. Then wait.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.