The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash.
During the second and final day of this year's hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.
Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:
- 5 bugs in the Windows operating system
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $557,500 USD bounty paid out to researchers
The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.
Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty.
For this same bug, Lee also nabbed an extra $25,000 for gaining system access by targeting an information leak and a race condition in two Windows kernel drivers. To hack the beta version of Chrome, Google's Project Zero rewarded Lee by an extra $10,000. So, he earned a grand total of $110,000.
"To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration," HP's security research team wrote in a blog post Thursday. "There are times when 'Wow' just isn't enough."
Earlier in the day, Lee also earned $65,000 for hacking the 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability that gained him read/write privileges on the browser. He used a sandbox escape via JavaScript injection to evade Windows defenses mechanism.
By using a use-after-free exploit and a separate sandbox escape, Lee also took down Apple's Safari browser. The hack earned him $50,000 and brought his total winnings to $225,000 from the contest.