Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking ContestEach year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS.
<div class="center-wrap"><iframe title="YouTube video player" src="
https://www.youtube.com/embed/dA3aIMgRFY8" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div>
This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day affair that spans multiple hours a day, this year's Pwn2Own event was livestreamed on YouTube.
Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below.
<div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Congratulations Jack! Landing a 1-click Apple Safari to Kernel Zero-day at
#Pwn2Own 2021 on behalf of RET2:
https://t.co/cfbwT1IdAt pic.twitter.com/etE4MFmtqs</p>— RET2 Systems (@ret2systems)
April 6, 2021 <script async src="
https://platform.twitter.com/widgets.js" charset="utf-8"></script></div>
Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.
A serious Zoom flaw was demonstrated by Dutch researchers Daan Keuper and Thijs Alkemade, for example. The duo exploited a trio of flaws to get total control of a target PC using the Zoom app with no user interaction.
<div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">We're still confirming the details of the
#Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action.
#Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW</p>— Zero Day Initiative (@thezdi)
April 7, 2021 <script async src="
https://platform.twitter.com/widgets.js" charset="utf-8"></script></div>
Pwn2Own participants received more than $1.2 million in rewards for the bugs they discovered. Pwn2Own gives vendors like Apple 90 days to produce a fix for the vulnerabilities that are uncovered, so we can expect the bug to be addressed in an update in the not too distant future.<div class="linkback">Tag:
Safari</div>
This article, "
Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest" first appeared on
MacRumors.comDiscuss this article in our forums
<div class="feedflare">
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=yIl2AUoC8zA" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=6W8y8wAjSf4" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=qj6IDK7rITs" border="0"></img>[/url]
</div><img src="
http://feeds.feedburner.com/~r/MacRumors-Front/~4/iDCruzzDyPQ" height="1" width="1" alt=""/>
Source:
Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest
