Chrome falls in first five minutes at Pwn2Own vulnerability contest

ChromeSeparate from Google’s own Pwnium competition, which has seen a Russian security researcher net $60,000 by uncovering a security hole in Chrome, other vulnerability hunters have successfully exposed weaknesses in the popular browser.

The series of exploits have brought to an end Chrome’s boastful track record of fending off attacks in earlier contests.

Researchers at the French security outfit Vupen told ZDNet that they deliberately targeted Google’s browser at this week’s Pwn2Own competition at CanSecWest in Vancouver.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” said VUPEN co-founder and head of research Chaouki Bekrar.

Sign up to our free newsletter.
Security news, advice, and tips.

The Pwn2Own organisers announced on Twitter that the team of hackers had circumvented Chrome’s security within five minutes of the competition beginning.

[tweet https://twitter.com/Pwn2Own_Contest/status/177507645190705153]

Vupen’s Bekrar demonstrated the Chrome exploit by visiting a webpage containing the exploit code. Upon reaching the page, the code ran the Windows calculator program (calc.exe) outside of Chrome’s sandbox without the user’s permission.

Windows Calculator

Of course, a real attack could have done something much nastier – for instance, infecting computers with malicious software.

HP TippingPoint organizes the Pwn2Own competition as part of its Zero Day Initiative bug bounty program, and awarded Vupen 32 points for its achievement against Chrome.

Vupen was also awarded points for other vulnerabilities it demonstrated, including one against Safari. If they are still the top-scoring team on Friday they will receive the top prize of $60,000 for their efforts.

Google, which runs the separate Chrome-specific Pwnium competition, split away from Pwn2Own because of new changes in the Pwn2Own rules that it felt would hamper its ability to access details of successful exploits.

If you know how to exploit Chrome, it seems there are more avenues than ever to be rewarded for your efforts. Just please make sure that you work responsibly with the security community, rather than using such exploits for malicious purposes.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.