• Google Chrome exploit fetches 19 Year-Old "Pinkie Pie" $60,000 hacking prize
    245 replies, posted
[quote][img]http://cdn.arstechnica.net/wp-content/uploads/2012/10/pinkie-pie1.jpg[/img] [I]An image displayed on a computer after it was successfully commandeered by Pinkie Pie during the first Pwnium competition in March.[/I] A hacker who goes by "Pinkie Pie" has once again subverted the security of Google's Chrome browser, a feat that fetched him a $60,000 prize and resulted in a security update to fix underlying vulnerabilities. Ars readers may recall Pinkie Pie from earlier this year, when he pierced Chrome's vaunted security defenses at the first installment of Pwnium, a Google-sponsored contest that offered $1 million in prizes to people who successfully hacked the browser. At the time a little-known reverse engineer of just 19 years, Pinkie Pie stitched together at least six different bug exploits to bypass an elaborate defense perimeter designed by an army of some of the best software engineers in the world. At the second installment of Pwnium, which wrapped up on Tuesday at the Hack in the Box 2012 security conference in Kuala Lumpur, Pinkie Pie did it again. This time, his attack exploited two vulnerabilities. The first, against Scalable Vector Graphics functions in Chrome's WebKit browser engine, allowed him to compromise the renderer process, according to a synopsis provided by Google software engineer Chris Evans. Pounding on sand Even then, Pinkie Pie encountered a predicament that is growing increasingly common among software exploiters. A security sandbox acts as a boundary that quarantines HTML and other types of browser content so it doesn't interact with more sensitive parts of a computer's operating system. And Chrome utilized one that prevented Pinkie Pie's exploit from doing much more than crashing the machine. With Microsoft's Internet Explorer and Apple's Safari browser offering similar defenses, the ability to craft drive-by Web exploits that remotely execute malicious code is getting significantly harder. A comprehensive study from last year found Google's sandbox was far more restrictive than Microsoft's, although some people have discounted that finding because the report was commissioned by Google. To work around this limitation and actually gain control of the system, Pinkie Pie targeted a second bug, this one in Chrome's interprocess communication layer. Because his exploit relied only on code that is included with Chrome, the attack once again qualified for the top $60,000 prize specified under the Pwnium rules. "We'd like to thank Pinkie Pie for his hard work in assembling another great Pwnium submission," Evans wrote. "We'll post an in-depth look at the bugs used and subsequent mitigations once other platforms have been patched." Pinkie Pie was the sole winner this time around, but based on a Twitter dispatch from self-described "vulnerability assassin" Nikita Tarakanov, a freshly fixed vulnerability in Adobe's Flash Player scuttled his Pwnium plans during day one of the competition. Google Chrome is notable for packaging a custom version of Flash and providing security fixes for it before Adobe patches other Flash versions. All told, it took just 12 hours from the time Pinkie Pie's attack was demonstrated to the time Google engineers released a fix. If that's not a record, it's better than the weeks or months it can take Mozilla, Microsoft, and Apple to patch their browsers against similarly devastating bugs. [I]Dan Goodin / Dan is the IT Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. @dangoodin001[/I] [/quote] [url]http://arstechnica.com/security/2012/10/google-chrome-exploit-fetches-pinkie-pie-60000-hacking-prize/[/url]
Wow, this dude got 1mil before just for hacking? I don't mean to say that's easy, but that's a lot of money. EDIT: Oh no, 1mil in prizes, nevermind then. Still, that's pretty cool.
why are people rating this dumb
[QUOTE=Sparkwire;37999093]why are people rating this dumb[/QUOTE] [QUOTE=Amiga OS;37999094]Did the image [B]REALLY[/B] have to be [I]that[/I]?[/QUOTE]
well awesome some guy found an exploit in chrome and won some money, but since this person is a brony this thread is instantly dumbed and exploiter loses all credibility [editline]asd[/editline] and thus all discussion devolved into mlp
[QUOTE=Sparkwire;37999093]why are people rating this dumb[/QUOTE] Because the only thing they're looking at is the fact that the hacker goes by the name "Pinkie Pie." Who gives a shit, honestly.
[QUOTE=t h e;37999057]Wow, this dude got 1mil before just for hacking? I don't mean to say that's easy, but that's a lot of money. EDIT: Oh no, 1mil in prizes, nevermind then. Still, that's pretty cool.[/QUOTE] You're completely wrong. They've set aside $1 million to give away in small amounts to those who can hack their browser, depending on how bad the vulnerability is. In this case, enough to warrant $60,000.
Who gives a shit that he's into ponies, he just helped google deal with an exploit that could've caused more damage than he and his ponyism could've ever done.
[QUOTE=Sparkwire;37999093]why are people rating this dumb[/QUOTE] It has nothing to do with how demonstrably smart the kid is, it's because ponies. I'm not a fan of ponies myself but the kid is my age and is already more clever than some of Google's top engineers.
itt Facepunch has a cry because some guy who's really good at hacking also is a fan of My Little Pony which is bad and he should feel bad for enjoying it [highlight](User was banned for this post ("ITT/meme reply" - Orkel))[/highlight]
Oh shit he opened a picture in a browser. master hacker 2012 this really puts my computersl security at risk. Good heavens, what if it was porn?
[QUOTE=Amiga OS;37999094]Did the image [B]REALLY[/B] have to be [I]that[/I]?[/QUOTE] Does it matter
Bronyfags ruin everything. As if it was hard enough to live with furries... Edited: Wow, was really dick.
[QUOTE=Amiga OS;37999094]Did the image [B]REALLY[/B] have to be [I]that[/I]?[/QUOTE] The dude just broke into an (apparently) incredibly secure browser. The dude can put up whatever fucking image he wants to.
[QUOTE=MIPS;37999148]Bronyfags ruin everything. As if it was hard enough to live with furries...[/QUOTE] are you serious
Paying people to hack your browser then fixing it. Genius.
[QUOTE=Greenen72;37999106]well awesome some guy found an exploit in chrome and won some money, but since this person is a brony this thread is instantly dumbed and exploiter loses all credibility [editline]asd[/editline] and thus all discussion devolved into mlp[/QUOTE] He probably doesn't give a shit about your opinion, that's why he calls himself Pinkie Pie.
[QUOTE=yawmwen;37999149]The dude just broke into an (apparently) incredibly secure browser. The dude can put up whatever fucking image he wants to.[/QUOTE] I want to point out that the picture is from March. He just did it a second time. This kid isn't a one trick pony. (Ehehehehhehehehe)
Are Google the only people that do this kind of thing? It's a pretty smart way of making the software more secure.
[QUOTE=Amiga OS;37999167]Yes. Its attention whoring of the highest degree. [I]"HEY GUISE I LIKE A LITTLE GIRLS CARTOON HAR HAR HAR!"[/I][/QUOTE] how does it feel to know that somebody who likes a little girl's cartoon, is more of a badass than you are
[QUOTE=laylay;37999159]He probably doesn't give a shit about your opinion, that's why he calls himself Pinkie Pie.[/QUOTE] And with $60,000 I wouldn't care either.
[QUOTE=n0cturni;37999185]Are Google the only people that do this kind of thing? It's a pretty smart way of making the software more secure.[/QUOTE] No, I've heard that a ton of companies do this sort of shit. "Hacking" is an actual legal profession for quite a few people.
[QUOTE=Amiga OS;37999167]Yes. Its attention whoring of the highest degree. [I]"HEY GUISE I LIKE A LITTLE GIRLS CARTOON HAR HAR HAR!"[/I][/QUOTE] It's just an alias. So what, he chose a name from a television show that he enjoys.
[QUOTE=Amiga OS;37999167]Yes. Its attention whoring of the highest degree. [I]"HEY GUISE I LIKE A LITTLE GIRLS CARTOON HAR HAR HAR!"[/I][/QUOTE] if they are enjoying watching it and having a pleasant life then what is the problem oh no the guy in line in front of me is wearing a shirt with a colourful pony on it WELL THAT'S MY DAY RUINED ISN'T IT
[QUOTE=yawmwen;37999203]No, I've heard that a ton of companies do this sort of shit. "Hacking" is an actual legal profession for quite a few people.[/QUOTE] You can get a Certified Ethical Hacker certification, a recognized cert that shows you can do just that.
Bronies, bronies everywhere...
[QUOTE=Bobie;37999186]how does it feel to know that somebody who likes a little girl's cartoon, is more of a badass than you are[/QUOTE] It's not badass. It's talented.
[QUOTE=ROFLBURGER;37999259]It's not badass. It's talented.[/QUOTE] I would classify beating some of the world's best minds as a feat of badassery.
[QUOTE=SGTNAPALM;37999252]You can get a Certified Ethical Hacker certification, a recognized cert that shows you can do just that.[/QUOTE] I'm actually pretty curious as to how these people get their experience, it doesn't seem to be something that can just be readily taught; is it just a byproduct of knowing a lot about software design?
[QUOTE=yawmwen;37999274]I would classify beating some of the world's best minds as a feat of badassery.[/QUOTE] Um. It's not the world's best minds, it's the best software designers google can get their hands on.
Sorry, you need to Log In to post a reply to this thread.