The contestants had just 30 minutes to attempt to execute exploits against fully-patched versions of Internet Explorer, Google Chrome, Mozilla Firefox and Apple Safari. The aim is to leverage a vulnerability in each browser to modify the program and allow the execution of instructions by the attacker.
Arranged by HP Security Research Zero Day Initiative researchers, each entrant must defeat the browser’s self-protection that prevents the external execution of code and ensures that the browser operates securely.
Four exploits were found in Internet Explorer 11, three in Firefox, two in Safari and one in Google Chrome that was present in both stable and beta builds of the browser.
JungHoon Lee, known as Iokihardt, was responsible for exploiting Chrome and ended up winning the single largest payout in Pwn2Own’s history for his work. He used a buffer overflow condition in Chrome and then an info leak condition in two Windows kernel drivers to gain access to SYSTEM. He won $75,000 for the core bug and an extra $75,000 for gaining access to SYSTEM. Google then gave him an additional $10,000 for hacking the beta version of Chrome, netting Iokihardt a grand total of $110,000 of earnings in 30 minutes – $916 a second.
Lee later hacked Internet Explorer to earn another $65,000. Later in the day, a use-after-free attack against Safari brought him another $50,000. He went home with $225,000.
The contest is well regarded in the technology world. The contestants enjoy breaking the technologies they rely on and can gain substantial profits for their efforts, as seen in the case of Iokihardt, while the browser vendors get a chance to patch their programs and make them more secure.
The developers of each browser meet with the contestants who successfully exploited their software immediately afterwards so that they can talk about the insecurities found and immediately begin to fix the program.
