Hacking for the good guys: Chrome cracked at Pwnium contest
Google offered cash prizes this week to hackers who could break its Chrome web browser. Less than 24 hours after the winner brought Chrome down, Google developers had a security fix ready.
Under normal circumstances, news of a hacker breaching a secure system and pocketing $60,000 would make us shudder and batten down our own online hatches. But in this case, a Russian teenager's exploit of Google's Chrome browser actually makes us all a little bit safer.
The hack took place during the Google-sponsored Pwnium contest this week, held at the CanSecWest security conference in Vancouver. The contest is designed to allow hackers to identify security holes in Chrome, so that these exploits can be patched before they're used for nefarious purposes. Sergey Glaznov won the top prize by breaching Chrome to gain full control of the test machine, allowing him to execute code remotely.
And true to their reputation for blazing-fast updates, Google developers released an over-the-air patch removing the security threat within 24 hours of the hack.
Chrome's main claim as a secure browser comes from a technique called "sandboxing," which keeps browser code away from the rest of the computer's operating system. In other words, even if a hacker gains access to Chrome, he or she won't (in theory) be able to access the whole computer. But Glaznov was able to chain three separate bugs in Chrome's programming to get around the sandboxing.
This was the first time that Chrome has been hacked publicly, but it wasn't the last: a French security company used a different exploit to bring the browser to its knees at the Pwn2Own competition, a separate hacking contest being held simultaneously at CanSecWest. Google says it hasn't received details about that hack yet, but users can undoubtedly expect another swift Chrome update once developers are able to plug that security hole as well.
Chrome's open-sourced code base is what enables Google developers to patch vulnerabilities and release patches to users so quickly. (A fix for a vulnerability in, say, Microsoft's Internet Explorer would likely have to go through weeks or months of quality-assurance tests before being pushed out to users.)
Now that the holes Glaznov discovered have been plugged, Google will spend some time studying the hack in-depth, to better understand how to prevent similar exploits in the future. The Chrome Release blog notes that details about the hack won't be published until users have a chance to install the patch. Google wants to use Glaznov's hack to help patch other vulnerabilities -- but it doesn't want to give too much information to hackers who have less benevolent motives for wanting to cripple Chrome.