At Mobile Pwn2Own 2013 – the competition that took place in Tokyo, Japan, alongside the PanSec 2013 security conference – the security expert known as Pinkie Pie managed to find a critical vulnerability in Chrome.
He demonstrated his findings on both a Samsung Galaxy S4 and a Nexus 4. The security hole found by Pinkie Pie on Chrome for Android also impacts the Stable version of the web browser. Google has updated both the Android and the Stable version to fix the vulnerability.
The search engine giant rolled out the updates only hours after the researcher defeated Chrome in the second day of the competition.
According to HP, the exploit developed by the hacker actually leverages two Chrome flaws: an integer overflow, and a bug that can be leveraged for a full sandbox escape.
In order for the attack to be successful, the victim must be convinced to visit a website that stores the exploit. In a successful attack, the hacker can remotely execute arbitrary code on the targeted device.
Google catalogues CVE-2013-6632 as “multiple memory corruption issues.” However, the exact details will not be made available until most users have updated their installations.
For his findings, Pinkie Pie has been rewarded with $50,000 (€37,000). Of this amount, $40,000 (€29,600) represents the top prize for the Mobile Web Browser category. The extra $10,000 (€7,400) is the prize offered by Google to the one who could hack Chrome on Galaxy S4 or Nexus 4.
This year’s Mobile Pwn2Own was sponsored by BlackBerry and Google.
It’s worth highlighting that the security hole identified by the researcher is critical. This means that users should update their Chrome browsers as soon as possible.