Safari, Microsoft Edge exploits earn hackers $162k at Pwn2Own
Zero-day exploits netted hackers $162,000 in total on Wednesday during the Pwn2Own contest in Vancouver, British Columbia.
Exploits targeting Apple Safari and Microsoft Edge web browsers were the highlight of Pwn2Own’s first day, a zero-day vulnerability hacking contest organized by Trend Micro’s Zero Day Initiative. Some of the best hackers in the world attended this year for a chunk of $2 million in prizes.
One of the biggest wins of the day belonged to Samuel Groß (saelo) who successfully completed a privilege escalation in macOS via Safari. He capped off his $65,000 payday with a bit of showmanship by signing the touchbar on a MacBook Pro:
Richard Zhu, a veteran of Pwn2Own, competed twice on Wednesday. He initially failed to pop macOS via Safari, but was paid an unspecified amount through Zero Day Initiative’s bug bounty program because the exploit ended up working after the timed portion.
Zhu completed the Microsoft Edge challenge on his third and final attempt.
After a win, the vulnerabilities and exploit techniques are disclosed to vendors that, along with a large crowd, watch up close as the software is attacked.
Zhu earned $80,000 from Pwn2Own contests last year. Samuel Groß was part of a team that won $28,000 last year.
Niklas Baumstark (_niklasb), a teammate of Groß’s, successfully targeted Oracle VirtualBox with a guest-to-host escape for $27,000.
Pwn2Own’s day two will see Zhu target Mozilla Firefox with a Windows kernel escalation of privilege for $50,000; Markus Gaasedelen, Nick Burnett, Patrick Biernat of Ret2 Systems, Inc. target Apple Safari for $65,000 and MWR Labs’ Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), Fabi Beterke (pwnfl4k3s) targeting Apple Safari with a sandbox escape worth $55,000.
Correction: The total amount of prizes given away was $162,000.