top of page

Current Affairs

Public·253 members
Back
Walter E. Kurtz

Google awarded hacker record $112,500 for exploit chain

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.


Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.


“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.


ree

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.


In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.


Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.


Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.


Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.


“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.


The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.


http://securityaffairs.co/wordpress/68045/hacking/android-exploit-chain-award.html

8 Views
The Baron
The Baron
Jan 23, 2018

Wow what an honest ah tiong security expert..........pretty rare.

2025 © All Rights Reserved | PROLIFIC SKINS

No part of this website or any of its contents may be reproduced, copied, modified or adapted, without the prior written consent of the site administrator, unless otherwise indicated for stand-alone materials.

Commercial use and distribution of the contents of the website is not allowed without express and prior written consent of the site administrator. All other logos, products, services and company names mentioned in the PROLIFIC SKINS website are trademarks of their respective owners and subject to their own copyright laws, foreign or domestic.

For clarifications on any other sharing-related concerns, please use the contact form provided on this site.

bottom of page