Two simultaneous browser security hacking challenges ended late Friday with a dramatic conclusion. More than $1 million in security awards had been put up for hackers to claim at Google’s Pwnium and HP TippingPoint’s Pwn2Own challenges, both held at the CanSecWest security conference in Vancouver. But the vast majority of that prize money went unclaimed, despite several last-minute successful hacks.
The drama in both contests came right down to the wire.
The Google Pwnium security contest was supposed to end at 2:00 pm PT on Friday, nearly three days after the contest’s kickoff. At 1:47 pm PT, with only thirteen minutes left in the contest, a teenage security researcher stepped up to the plate to attempt a full Chrome hack. Three hours later, Google officially confirmed that the young researcher, working under the alias “PinkiePie,” had fully “pwnd” Chrome with three exploits. For his efforts, PinkiePie was awarded $60,000.
While PinkiePie’s exploit was officially confirmed late Friday, Google apparently wasted no time in rushing to fix the flaw. Saturday afternoon, Google updated their browser to Chrome stable 17.0.963.79 fixing the PinkiePie flaw. PinkiePie’s flaw was officially reported by Google to be an “Errant plug-in load and GPU process memory corruption.”
The PinkiePie exploit was only the second submission for the Pwnium 2012 event. On the first day of the contest, researcher Sergey Glazunov claimed the first $60,000 prize. Glazunov’s flaw was officially identified by Google as being a cross-site scripting and bad navigation flaw.
While Google did pay out $120,000 in awards at the Pwnium event, they had offered as much as $1 million in payouts — yet only two researchers came forward, leaving $880,000 on the table.