Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest

[MacRumors]

Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS.

This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day affair that spans multiple hours a day, this year's Pwn2Own event was livestreamed on YouTube.

Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below.

https://twitter.com/x/status/1379457891724328964

Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.

A serious Zoom flaw was demonstrated by Dutch researchers Daan Keuper and Thijs Alkemade, for example. The duo exploited a trio of flaws to get total control of a target PC using the Zoom app with no user interaction.

https://twitter.com/x/status/1379855435730149378

Pwn2Own participants received more than $1.2 million in rewards for the bugs they discovered. Pwn2Own gives vendors like Apple 90 days to produce a fix for the vulnerabilities that are uncovered, so we can expect the bug to be addressed in an update in the not too distant future.

Article Link: Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest

 

[antiprotest]

Please set up a reward for fixing iCloud Tabs sync. Apparently the people at Apple cannot do it after like a decade.

 

[mtneer]

Wonder if Apple socks the same amount from the pay of the engineer responsible for this feature internally?

 

[steve217]

Given the cost of a breach, $100k is a bargain.

 

[Apple_Robert]

Thank you, Jack Dates.

 

[BWhaler]

I always worry given Zoom’s ties to China and the slip-shot way they went for growth above all, if some of these “flaws” are actually backdoors.

As convienent and pervasive as Zoom is, no way I would trust it if I was a CTO or enterprise security officer.

 

[TheYayAreaLiving 🎗️]

Good payout wow! impressive.

 

[Baritone_Guy]

They got through Parallels a few times. I saw the whole list on another site. They pretty much owned everything over the first 2 days of the event.

Wonder what day 3 will bring. Still almost $600k is prize money to be won.

The bugs get 90 days to be fixed by the vendors.

 

[Mr.Brossard]

Wonder if Apple socks the same amount from the pay of the engineer responsible for this feature internally?

Apple seems like a company that burns through engineers quickly. They probably aren't even at the company, anymore.

 

[Sasparilla]

Always good to see this - as it means these holes that were open to being exploited by bad guys are now going to be closed.

Sounds like more is to come, perhaps iOS.

With regards to Zoom. Their main developers are located in China. An American company using developers located in China, presumably for the super cheap costs (lower than from India). The company itself (its CEO) has a history of lying about encryption and other things previously. It was caught routing Zoom calls in the U.S. through China (this was about a year ago before things really took off for them). But like Facebook, everyone uses them so you're kinda stuck.

https://techcrunch.com/2020/04/03/zoom-calls-routed-china/

 

[Aoligei]

I too live in Canada.

I also understand that BWhaler referred to CTO (Chief Technology Officer) and enterprise security officer so he's talking about business concerns. Trade secrets, financial secrets - things the Chinese government clearly has interests in.

If you are CTO or anyone who has access to classified information, your smartphone is probably very restricted.

And if you are CTO and you can’t make sure your devices are secure, you should be fired.

Also it is not like United States, European companies or government aren’t interested with trade secrets, financial secret. Every country has its own spy network who specializes stealing secrets. Aren’t you are being racist when you single out Chinese government?

 

[mistasopz]

Aren’t you are being racist when you single out Chinese government?

The Chinese government is not a race.

 

[T Coma]

Ah yes, the old integer overflow and OOB write trick. Classic.

 

[hatchettjack]

Ah yes, the old integer overflow and OOB write trick. Classic.

I should have paid more attention in math class!

 

[c5z]

What’s to stop employee A from putting in a flaw, telling hacker 1 the issue, and splitting the reward?

 

[Aoligei]

The Chinese government is not a race.

The Chinese government is run by Chinese. And yes, if you signaling out Chinese government, you are basically saying Chinese are cheaters and Chinese are theft.

But every government in the world do spy on each other, stealing information etc.

 

[Aoligei]

Potentially, all sorts of things, and it's not just China. Just as an example, let's say you're an engineer and work for the government (military or civilian), or are an engineer for an aerospace contractor (Lockheed, just as an example) working on projects for the defense of the US or Canada, or, that gather information on adversaries of the United States. There are many more possibilities.

First of all, if you work for these type of companies, you are not suppose to install unauthorized apps on devices contains sensitive information.

Second of all, you are not suppose to store sensitive information on your personal information.

And you should understand the scope of your work responsibilities, what can be say and what cannot be said. And your company should also make sure their devices are encrypted and secure.

So what to afraid of?

 

[macinfojunkie]

What’s to stop employee A from putting in a flaw, telling hacker 1 the issue, and splitting the reward?

in short not much, other than professional integrity and corporate QA process with peer review of code. That is why big companies (should) have strict vetting procedures to help prevent such collusion. And is it really worth sacrificing a lucrative development career over 50% stake in a bug reward which would what? Amount to a few months salary at best.

 

[mistasopz]

The Chinese government is run by Chinese. And yes, if you signaling out Chinese government, you are basically saying Chinese are cheaters and Chinese are theft.

But every government in the world do spy on each other, stealing information etc.

That's some pretty loopy logic there. If I criticise the Canadian government am I racist towards Canadians (after all it's run by Canadians)? Of course not, what ridiculousness. There are 1.4 billion Chinese people and being critical of their leadership is not the same thing as hating 1.4 billion people because of their ethnicity. And if you think you think they are your friend, you better read up on your own history (Nortel IP theft for example).

 

[code-m]

Aren’t you are being racist when you single out Chinese government?

Here we go let’s throw the race card on the table for any argument that does not seem favourable.

Short Answer: No this has nothing to do with race or has do with various governments not only China that indulge in these practises, China has a law that forces private companies to comply if those companies like it or not and becomes a pseudo extension of the military and Chinese government hence the skepticism.

Other governments do this to a certain extent but there is a guise of law via a warrant even though there are back door approaches to circumvent some but not all as it’s the illusion of citizen privacy vice China with its blatant law to disregard any citizen privacy.

FYI: I am a minority and I don’t live life with a racist tinted glasses, yes there are some bad actors but the majority are not. We cannot paint other races with hate.

 

[code-m]

That's some pretty loopy logic there. If I criticise the Canadian government am I racist towards Canadians (after all it's run by Canadians)? Of course not, what ridiculousness. There are 1.4 billion Chinese people and being critical of their leadership is not the same thing as hating 1.4 billion people because of their ethnicity. And if you think you think they are your friend, you better read up on your own history (Nortel IP theft for example).

Well Huawei does have a large office in the area, I would not dismiss anything tbh. Some cultures indoctrinate its citizens from birth to think of a common ideology and thus extends far beyond Chinese shores. A lot of studies and on going have been conducted. It’s not done by some mistake, actually the military and levels of government even corporations like Apple have similar boot camps tbh.

 

[Hildy]

What does Chinese government need from you?

Huawei vs Nortel. Ask the two Michael’s how that entire affair is going for them. Or all of the Canadian pensioners, shareholders and former employees tied to Nortel, (more than 1/3 of the total value of the TSX at one time).

 

[bousozoku]

It's still interesting to see that Safari is a headliner every year, whereas Firefox has become difficult.

US$100,000 doesn't seem enough for such a huge problem.

 

[citysnaps]

First of all, if you work for these type of companies, you are not suppose to install unauthorized apps on devices contains sensitive information.

Second of all, you are not suppose to store sensitive information on your personal information.

And you should understand the scope of your work responsibilities, what can be say and what cannot be said. And your company should also make sure their devices are encrypted and secure.

So what to afraid of?

That's easy. Up above you posed the question: "What does Chinese government need from you?"

I simply answered it, providing an example. And of course that's not limited to the Chinese government. Furthermore, it has little to nothing to do with how one stores classified information. More succinctly, what a foreign adversary needs is information. Doesn't even need to be a foreign adversary. Jonathan Pollard comes to mind.

A foreign adversary simply knowing who you are, where you live, your financial situation and weaknesses, your social/political weaknesses, the aerospace/defense/etc company or branch of the government you work for, can potentially set you up for being compromised and ultimately pressured to provide sensitive/classified information either via blackmail or for money, or both. That has been going on for longer than the availability of personal phones. And by many dozens of governments worldwide.

 

[Havoc035]

I think it's telling that rewards for Safari exploits were lower than those for Edge and Chrome. While all got exploited only Safari also had a breach of the sandbox. Apple needs to step-up their security game as they did with Blastdoor for iMessage.