#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Search results for Pwn2Own | Breaking Cybersecurity News | The Hacker News

Google bets $20000 that Chrome browser can not be hacked !

Google bets $20000 that Chrome browser can not be hacked !

Feb 03, 2011
Google will pay $ 20,000 for the first scientist who succeeds in its Chrome browser to exploit this year's competition Pwn2Own piracy. The price is the largest ever to face the annual challenge, which begins for the fifth time in the CanSecWest security conference in Vancouver, British Columbia, March 9. In Pwn2Own this year, researchers sky exploits against machines running Windows 7 or Mac OS X, as they try to download Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Chrome. The researchers first to hack IE, Firefox and Safari will receive $ 15,000 and the computer running the browser. Prices are $ 5,000 higher than those given for the use of browsers in the last contest Pwn2Own, and three times the 2009 price. "We've raised the bar this time and the total allocated to cash prices rose to a whopping $ 125,000," said Aaron Portnoy, director of HP TippingPoint Security Research Team. TippingPoint, which is once again sponsoring Pwn2Own, set th
Hacker kills his own Pwn2Own bug for Android phones !

Hacker kills his own Pwn2Own bug for Android phones !

Mar 08, 2011
A vulnerability that a researcher planned to use to compromise an Android cellphone at a hacking contest later this week got squashed after Google fixed the underlying bug in the Android Market. Scio Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, bug in the application bazaar because he didn't believe the vulnerability would qualify under terms of the Pwn2Own contest that is scheduled to start on Wednesday. The "incredibly low-hanging naive persistent XSS" allowed attackers to to remotely install malicious apps on Android handsets by tricking users into clicking a link on their phones or computer browsers while logged into a Google account. Oberheide later learned that the vulnerability didn't run afoul of contest rules, allowing him to collect $15,000 and a free handset if he was successful. But he recently discovered Google closed the security hole. The $1,337 awarded to Oberheide under Google's bug bounty program, is little consolati
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Internet Explorer and Safari first to fall at Pwn2Own 2011, Chrome and Firefox still standing !

Internet Explorer and Safari first to fall at Pwn2Own 2011, Chrome and Firefox still standing !

Mar 10, 2011
Pwn2Own, the annual three-day browser hackathon, has already claimed its first two victims: IE8 on Windows 7 64-bit, and Safari 5 on Mac OS X. Google Chrome looks set to survive for its third year in a row. Internet Explorer 8 was thoroughly destroyed by independent researcher Stephen Fewer. "He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before," said Aaron Portnoy, the organizer of Pwn2Own. Safari 5, running on a MacBook Air, was compromised in just five seconds by French security company Vupen. Both attackers netted $15,000 for successfully compromising a browser. The contest continues today and tomorrow. Firefox 3.6 is yet to be attacked, and tomorrow will see the very first mobile browser deathmatch. Windows Phone 7, iOS, Android and RIM OS, all with their stock browsers, will be attacked by security researchers to find out just how secure mobile browsing is. Again, $15,000 is
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Microsoft Releases Zero IE8 Security Updates Before "Pwn2Own" !

Microsoft Releases Zero IE8 Security Updates Before "Pwn2Own" !

Mar 07, 2011
Microsoft has opted not to release any patches to its Internet Explorer 8 browser prior to this year's Pwn2Own browser exploit challenge, which is set to run from March 9 to March 11 at the CanSecWest security conference. There's been no indication as to why Microsoft's not making one last effort to plug security vulnerabilities within Internet Explorer 8. Pundits have suggested that the company might be waiting to see exactly what exploits and security flaws are uncovered by the various contestants in the annual contest, such that the company can more quickly address them post-Pwn. For the uninitiated, Pwn2Own works like this: Security researchers square off in an attempt to hack through the browser or mobile operating systems of eight different targets. Each Pwn2Own entrant or team has 30 minutes to compromise the browser or phone, and each device or web browser has—at maximum—four individuals or teams competing. The first group to successfully hack a device or browse
Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

Apr 12, 2021
The 2021 spring edition of  Pwn2Own  hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade. A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI). Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems. Some of the major highlights are as follows — Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000 Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000 A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000) The exploitation
Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

Mar 22, 2015
The Annual Pwn2Own Hacking Competition  2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. During the second and final day of this year's hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers. Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive: 5 bugs in the Windows operating system 4 bugs in Internet Explorer 11 3 bugs in Mozilla Firefox 3 bugs in Adobe Reader 3 bugs in Adobe Flash 2 bugs in Apple Safari 1 bug in Google Chrome $557,500 USD bounty paid out to researchers The star of the show was South Korean secur
0-Days Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

0-Days Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

Nov 15, 2018
At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward. Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices. Apple iPhone X Running iOS 12.1 — GOT HACKED! A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to
Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Aug 27, 2024 Vulnerability / Browser Security
Google has revealed that a security flaw that was patched as part of a software update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965 , the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the bug in the NIST National Vulnerability Database (NVD). A security researcher who goes by the online pseudonym TheDog has been credited with discovering and reporting the flaw on July 30, 2024, earning them a bug bounty of $11,000. Additional specifics about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be utilizing it have not been released. The tech giant, however, acknowledged that it's aware of the
Geohot Will Try His Hacking Skills On Windows Phone 7 !

Geohot Will Try His Hacking Skills On Windows Phone 7 !

Mar 07, 2011
Geohot has been causing quite a disturbance due to his ongoing legal battle with Sony. Geohot jailbroke the Sony PS3 to run unsigned code. Sony is now suing him, and Geohot is under the tech industry's spotlight more than ever. So, what does all this have to do with Windows Phone 7? Microsoft has shown interest in Geohot before, and the company even reached out to him financially for his legal fight against Sony. Geohot will know be using his hacking skills at an upcoming convention to try and jailbreak Windows Phone 7… George "Geohot" Hotz is renowned for his jailbreak exploits on the iPhone, and he has expanded his hacking interests to other platforms. Electronista reports, "At the fifth annual Pwn2Own competition next week, George Hotz (Geohot) will attempt to use his hacking skills that landed him in hot water with Sony to win prizes. This year's target platform will be Windows Phone 7, though other devices and operating systems will also take part. An attack will be judged
Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

Aug 22, 2024 Browser Security / Vulnerability
Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971 , the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page," according to a description of the bug in the NIST National Vulnerability Database (NVD). The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw on August 19, 2024. No additional details about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be weaponizing it have been released, primarily to ensure that a majority of the users are updated with a fix. The tech giant, however, acknowledged in a terse sta
The Keen Team - Chinese Hacker Group Reveals their Identities

The Keen Team - Chinese Hacker Group Reveals their Identities

Apr 17, 2014
The Keen Team – a mysterious group of Chinese hackers who hacked Apple's Safari Mac OS X Mavericks system in just 20 seconds and Windows 8.1. Adobe Flash in only 15 seconds during Pwn2Own Hacking Competition this year, are no more mysterious as the team revealed its members identity. In an interview with a Chinese newspaper on this 13 April, the key member of the Keen team and co-founder as well as chief operating officer of the team's Shanghai-based parent company, Lv Yiping said half of his team members are the top scoring students in the national college entrance examination, half of them are majored in mathematics, and half are from Microsoft. He also added that the team's eight core members are the top hackers in the country. The Kean team is the first Chinese hackers group to have won the prestigious title at the world hacking contest held in Vancouver this year in March. Back in 2013, they also took part in the Mobile Pwn2Own contest held in Tokyo and succe
Samsung Galaxy S4 and iPhone 5 zero-day exploits revealed at Pwn2Own 2013 Contest

Samsung Galaxy S4 and iPhone 5 zero-day exploits revealed at Pwn2Own 2013 Contest

Nov 14, 2013
At Information Security Conference PacSec 2013 in Tokyo, Apple's Safari browser for the iPhone 5 and the Samsung Galaxy S4 have been exploited by two teams of Japanese and Chinese white hat hackers. In HP's Pwn2Own 2013 contest , Japanese squad Team MBSD, of Mitsui Bussan Secure Directions won won $40,000 reward for zero day exploit for hacking Samsung Galaxy S4. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone. In order for the exploit to be successful, the group lured a user to a malicious website, gained system-level privileges and installed applications that allowed the team to gather information, including SMS messages, contacts and browsing history. They  Another Hackers Team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4. They wo
Update Your Safari Browser to Patch Two Dozen of Critical Vulnerabilities

Update Your Safari Browser to Patch Two Dozen of Critical Vulnerabilities

Apr 03, 2014
So, is your Safari Web Browser Updated?? Make sure you have the latest web browser updated for your Apple Macintosh systems, as Apple released Safari 6.1.3 and Safari 7.0.3 with new security updates. These Security updates addresses multiple vulnerabilities in its Safari web browser, which has always been the standard browser for Mac users. This times not five or ten, in fact about two dozen. Apple issued a security update to patch a total of 27 vulnerabilities in Safari web browser, including the one which was highlighted at Pwn2Own 2014 hacking competition. The available updates replace the browser running OSX 10.7 and 10.8 with the latest versions of browser 6.1.3, and OSX 10.9 with 7.0.3. Among the 27 vulnerabilities, the most remarkable vulnerability addressed in the update is CVE-2014-1303 , a heap-based buffer overflow that can be remotely exploited and could lead to bypass a sandbox protection mechanism via unspecified vector. This vulnerability is
Android 4.0.4 multiple Zero-Day Vulnerabilities

Android 4.0.4 multiple Zero-Day Vulnerabilities

Sep 19, 2012
The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam. Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC (Near Field Communications). NFC is a technology that allows data to be sent over very short distances. For mobile devices, the protocol allows digital wallet applications to transfer money to pay at the register. While the technology has been slow to take off, despite the adoption by Google for its Wallet payment application, a number of recent high-profile announcements have boosted its adoption. " Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability
Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024

Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024

May 24, 2024 Vulnerability / Browser Security
Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild. Assigned the CVE identifier  CVE-2024-5274 , the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024. Type confusion vulnerabilities  occur when a program attempts to access a resource with an incompatible type. It can have  serious consequences  as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code. The development marks the fourth zero-day that Google has patched since the start of the month after  CVE-2024-4671 ,  CVE-2024-4761 , and  CVE-2024-4947 . The tech giant did not disclose additional technical details about the flaw, but  acknowledged  that it "is aware that an exploit for CVE-2024-5274 exists in the wild
Google & Mozilla Patches Browsers Before Pwn2Own Hacker Contest !

Google & Mozilla Patches Browsers Before Pwn2Own Hacker Contest !

Mar 04, 2011
Now that the annual Pwn2Own hacking contest is around the corner, both Google and Mozilla are busy patching flaws in their respective browsers to appear competent in the contest. Both internet giants have reportedly updated their browsers for the contest that is due to take place next week at the CanSecWest Applied Security Conference. Google patched 19 flaws in its Chrome and rated 17 of them as "high" whereas the other three as "Medium". Mozilla followed Google's step and introduced patches for 10 flaws in its Firefox. It classified eight of the security flaws as "critical" whereas it rated others as "Moderate" and "High" respectively. Google rewarded the researchers who fixed the bugs with an attractive sum, the highest being $1,000. The patching was carried out in different areas including an integer overflow during the process of textarea handling. Google's URL bar spoof was also updated. The major flaw that was updated by Firefox consists of a bug that if activated by a corrupt
Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own

Chinese Hackers won $215,000 for Hacking iPhone and Google Nexus at Mobile Pwn2Own

Oct 27, 2016
The Tencent Keen Security Lab Team from China has won a total prize money of $215,000 in the 2016 Mobile Pwn2Own contest run by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan. Despite the implementation of high-security measures in current devices, the famous Chinese hackers crew has successfully hacked both Apple's iPhone 6S as well as Google's Nexus 6P phones. Hacking iPhone 6S For hacking Apple's iPhone 6S, Keen Lab exploited two iOS vulnerabilities – a use-after-free bug in the renderer and a memory corruption flaw in the sandbox – and stole pictures from the device, for which the team was awarded $52,500 . The iPhone 6S exploit successfully worked despite the iOS 10 update rolled out by Apple this week. Earlier this week, Marco Grassi from Keen Lab was credited by Apple for finding a serious remote code execution flaw in iOS that could compromise a victim's phone by just viewing "a maliciously crafted JPEG" image. However, a
BlackBerry Hacked via Drive-By Download at Pwn2Own !

BlackBerry Hacked via Drive-By Download at Pwn2Own !

Mar 11, 2011
BlackBerry OS fell during the second day of the Pwn2Own hacking competition as a result of a drive-by download attack that chained together several exploits. The trio that managed to hack RIM's mobile operating system, Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, exploited two vulnerabilities in the open-source WebKit layout engine in order to do it. The attack was launched from a specially crafted web page that stole information like contacts and images from the device and also wrote a file to the storage system. The hackers chained together an exploit for an information disclosure bug and one for an integer overflow vulnerability, but what's most impressive is that they did it without any documentation. They didn't have access to any debugging tool, like the ones available for other systems, that could have helped them determine how the attack code interacts with the system. Instead, they had to rely on exploiting a separate bug to read the device
Chrome, Firefox, Java, IE10 exploited at Pwn2Own competition

Chrome, Firefox, Java, IE10 exploited at Pwn2Own competition

Mar 07, 2013
During the first day of Pwn2Own competition at the CanSecWest conference in Vancouver , latest versions of all major browsers were exploited by hackers.  Chrome, Firefox and Internet Explorer 10 on Windows 8 were successfully pwned by various competitors, bringing them tens of thousands of dollars in prizes.  French vulnerability research and bug selling firm ' Vupen ' brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws. Researchers Jon Butler and Nils from MWR Labs managed to exploit Google Chrome on Windows 7 and also used a kernel bug to bypass the sandbox. " By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privi
Stephen Fewer won Pwn2Own !

Stephen Fewer won Pwn2Own !

Mar 10, 2011
Stephen Fewer won Pwn2Own ! The annual Pwn2Own contest at the CanSecWest conference kicked off Wednesday and one of the winners this year was Stephen Fewer, who exploited Internet Explorer 8 on Windows 7. Dennis Fisher spoke with him about the contest, the challenge of attacking IE 8 and the utility of memory protections.
Expert Insights / Articles Videos
Cybersecurity Resources