The annual two-day security contest, Pwn2Own, was held at the CanSecWest security conference. The event which has been on the calendar since 2007, took place in Vancouver, British Columbia on the 16th and 17th of this month.
Major browsers, Apple Safari, Microsoft Edge and Google Chrome, were all successfully exploited by hackers who were vying for prize money which amounted to $85,000 for a single attempt. In the end, a total of $460,000 was given as prize money which sees a slight decline from last year’s value which was $557,000.a total of 21 vulnerabilities across the three browsers were found with the operating systems, Windows, OS X and Flash player also attacked.
The annual conference is there to stimulate hackers to exploit and find vulnerabilities in widely used software’s and mobile devices so as to boost the security nature of the system. The software investigated are those that are not in public use as yet, so it helps developers find out problems in their systems, and they can make moves to fix them in time before they become public.
The rewards usually consist of the device in question being hacked into and cash prizes. The name Pwn2Own has been defined thus, “Pwn” meaning hack and “own” which maintains its original English definition. In full it is supposed to say, hack to win. It’s been viewed as another form of bug bounty which is run by high-tech firms to find vulnerabilities in their systems.
From the three browsers investigated, Google Chrome fared well compared to the other ones. Of the two attempts made on the Google browser, one was deemed a failure and one a partial success. The other one was given partial success award because; the vulnerability that was found had already been found and sent to Google by an independent source for evaluation.
Chrome’s results were in stark contrast with those of Microsoft Edge browser and Apple’s Safari browsers. Two attempts were made on the Edge browser with both attempts deemed successful while for Safari had three attempts made on it with a 100 % success rate also. For those who successfully managed to hack the Microsoft Edge, their efforts were rewarded handsomely as the biggest single attempt cash prize was coming from Microsoft.
Adobe Flash player was used because it’s been consistently used in circumventing browser securities. Operating systems were also included because the hackers had to gain access outside of the browser also. With every successful attack system and root privileges were achieved, which is a first for the conference.
The list of the 21 vulnerabilities found:
- Microsoft Windows: 6 vulnerabilities
- Apple OS X: 5
- Adobe Flash: 4
- Apple Safari: 3
- Microsoft Edge: 2
- Google Chrome: 1