Google Pixel, Safari, and Microsoft Edge all pwned at PwnFest 2016

Adobe Flash Player also fell. Surprised? We’re not.

David bisson
David Bisson
@
@DMBisson

Google Pixel, Safari, and Microsoft Edge all pwned at PwnFest 2016

Security researchers broke the Google Pixel, Apple’s Safari browser, and the Microsoft Edge browser running on Windows 10 at PwnFest 2016.

PwnFest is a part of Power of Community, an international security and hacking conference which takes place in Seoul, South Korea.

Teams of white-hat hackers register to compete in PwnFest to see who can gain system-level access to a variety of technologies in the shortest amount of time.

Sign up to our free newsletter.
Security news, advice, and tips.

Sounds fun! But that’s not all. It also pays well to those who win… like, hundreds of thousands of dollars well. One of the competitors, Chinese security firm Qihoo 360, walked away from the competition with more than half a million dollars (US $520,000).

How? By being one of the best at what they do.

On Friday, Qihoo 360’s hackers leveraged an undisclosed vulnerability to achieve remote code execution on the Google Pixel. Google will now work on a fix for the issue, a bug which by itself netted the team US $120,000.

4657878987654
The pwned Pixel opened up a web page in Google Chrome that reads “Pwned By 360 Alpha Team.”

The successful compromise is the second time hackers have compromised the Pixel in recent weeks.

The first to do it was the Qihoo 360 rival Keen Team of Tencent at the Mobile Pwn2Own event in Japan. Those hackers later demonstrated at PwnFest how they were able to obtain system-level privileges on the phone, including access to the device’s contacts, SMS messages, phone number, and other features.

That exploit is shown in the video below.

Google Pixel zero day exploit November 2016

Here are a few additional highlights from PwnFest 2016:

  • In 20 seconds flat, the Pangu Team abused a root privilege escalation bug to break Apple’s Safari browser and win 80,000 USD.
  • South Korean hacker Lokihardt smashed Microsoft Edge running on Windows 10 in just 18 seconds, earning for himself 140,000 USD in the process.
  • Qihoo 360 exploited a use-after-free zero day and a win32k kernel flaw to pop Flash. All it took was four seconds to win the 120,000 USD prize money.

Screen shot 2016 11 11 at 1 37 13 pm

We’ve all heard about bugs in Safari, Flash (too many to count, in fact), and other software. What makes PwnFest fun is the ability for researchers to research a method of attack, demonstrate it in front of their peers, and win some moolah in the process.

At the same time, none of the PwnFest exploits are made public. Those who compete at and sponsor PwnFest (well…maybe except for Google…) support the idea of responsible disclosure. That’s why exploits go straight to the vendors so that they can develop appropriate fixes.

Money… fame… security fixes… PwnFest is a win-win for all.

I tip my hat to Darren Pauli of The Register for his excellent coverage of this year’s competition.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.