Skip to main content

Your favorite browser probably didn’t hold up at this week’s Pwn2Own hackathon

sony hackers still unidentified hunt seems mission impossible hacking
Image used with permission by copyright holder

Whether you’re talking about Chrome, Firefox, Internet Explorer, or Safari, none of your favorite browsers escaped unscathed when some of the world’s best digital security consultants congregated at Pwn2Own, a hacking competition held during this week’s security-focused CanSecWest conference in Vancouver. The participants in the tournament found and demonstrated exploits in each browser during the event, while racking up cash prizes doled out for successful efforts.

According to PCWorld, this year’s big winner was French outfit Vupen, which zeroed in on vulnerabilities in several programs including a exploit that would allow an attacker to bypass Chrome’s security measures.  Vupen also hacked their way into Internet Explorer 11, Firefox, Adobe Flash and Adobe Reader, with Chaouki Bekrar, the group’s founder, earning close to $400,000.

Meanwhile, infamous hacker George Hotz, AKA Geohot, demoed his ability to pull off a remote code execution exploit in Firefox. Various teams also showed off remote code execution exploits, which would permit an attacker to take control of their victim’s computer using browsers like Safari and IE, as well as commonly used software like Adobe Flash Player and Adobe Reader. All told, software-makers awarded $850,000 in prize money to competitors over the two-day competition.

Not everybody does it just for the cash, though. A charity-focused hacking tournament dubbed Pwn4Fun pitted Google security consultants against members of Hewlett-Packard’s DVLabs Zero Day Initiative, or ZDI. Between the IE vulnerabilities found by ZDI and the Safari exploits the Google team used, the pair managed to raise $82,500 for the Canadian Red Cross.

Mike Epstein
Former Digital Trends Contributor
Michael is a New York-based tech and culture reporter, and a graduate of Northwestwern University’s Medill School of…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more