
Google Gambles $20K that Chrome Can't be Cracked


Turbo Monkey
Jul 13, 2008

Google is so confident that its Chrome Web browser can't be hacked that it is willing to put $20,000 cash and a Chrome CR-48 notebook on the line to prove it. At the 2011 Pwn2Own contest, held in conjunction with the CanSecWest security conference in Vancouver next month, Google will put its money where its proverbial mouth is.
Google's use of Chrome as the name of both its browser and its OS is creating some confusion. There are some false reports that Google is offering the bounty for successfully cracking its Chrome OS-based CR-48 notebook. The Google CR-48 notebook will be awarded along with the $20,000 for a successful attack against the Chrome Web browser, but the Pwn2Own info clearly states that the notebook is merely a prize. There will be no attacks mounted against the Chrome OS, and the target Chrome Web browser will actually be running on the latest 64-bit release of either Windows 7 or Mac OS X.

The Chrome Web browser is the only participating browser with built-in sandbox protection. The sandbox segregates untrusted or potentially malicious scripts so they are unable to impact the core browser, or the underlying PC. Because of the sandbox, it will take some extra effort for an attack against the Chrome Web browser to be considered a success.

According to posted details about the Pwn2Own contest, a successful attack against Chrome will be measured over a few days. "On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope."
Google's $20k award is the largest ever offered at the annual Pwn2Own contest, and also the first time that a Web browser vendor has stepped up to contribute to the Pwn2Own cash pool. Perhaps the bravado is inspired by the fact that this will be the third year that Chrome will be targeted, yet it has remained un-cracked in years past.

Compare that to Apple's Safari Web browser, which is perennially cracked in minutes--if not seconds. But, even Firefox and Internet Explorer have fallen prey to Pwn2Own attacks. Only Chrome remains unscathed...so far. We'll see if $20,000 is enough incentive for an enterprising hacker to find a crack in its armor.

binary visions

The voice of reason
Jun 13, 2002
what are they trying to do by cracking the sandbox?
They're trying to make sure that nobody can get outside the sandbox.

I always laugh at these kind of articles/titles.

Google isn't "so confident" that Chrome can't be cracked. They aren't putting the contest out there because they think it can't be done. It's not a publicity stunt to show that it's impossible to crack their browser.

$20k + a netbook is dirt cheap for them to have an entire team of hundreds or thousands of talented, smart hackers trying to expose vulnerabilities in their browser. They're hoping for someone to find something and claim the prize, so they can patch the holes. You can't hire the kind of talent that is going to take a shot at their browser.


I'm Mr. Negative! I Fail!
Aug 2, 2008
Im over here now
They're trying to make sure that nobody can get outside the sandbox.

They're hoping for someone to find something and claim the prize, so they can patch the holes. You can't hire the kind of talent that is going to take a shot at their browser.
i understand they are trying to get outside of the "sandbox" but are they trying to put a malicious file into the browser or make the browser do something its not suppose to do?

it is pretty smart for them to offer $20k for someone else to find a flaw so they can fix it. $20k to Google is chump change.

binary visions

The voice of reason
Jun 13, 2002
I don't know how one puts a file "into" the browser. They're trying to make the browser execute code outside its sandbox - i.e. be able to interact with the OS and the filesystem. It doesn't matter what that code does.