During the second and final day of this year's hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.
Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:
- 5 bugs in the Windows operating system
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $557,500 USD bounty paid out to researchers
The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.
Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty.
For this same bug, Lee also nabbed an extra $25,000 for gaining system access by targeting an information leak and a race condition in two Windows kernel drivers. To hack the beta version of Chrome, Google's Project Zero rewarded Lee by an extra $10,000. So, he earned a grand total of $110,000.
"To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration," HP's security research team wrote in a blog post Thursday. "There are times when 'Wow' just isn't enough."
By using a use-after-free exploit and a separate sandbox escape, Lee also took down Apple's Safari browser. The hack earned him $50,000 and brought his total winnings to $225,000 from the contest.