The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.
The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.
Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.
In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.
Top Rated Comments
Also, they get paid for it. Quite a lot.
Good grief indeed.
At least hire these kids, good grief.
Direct info: https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
They don't just set them down in front of a machine and say "you have 1 hour to break into Safari" and away they go. They aren't "on-demand" hackers who can break into anything on the spot.
They would have spent months looking for vulnerabilities and testing exploits and kept them a secret until the conference. Then they'd demonstrate them (while being timed) and if they are able to replicate their exploit within the time frame they get the prize money.
The idea that you can just hire a few people like this to work at Apple and they'll simply sit down and clear up any exploits in your software is ridiculous.