Google patched a critical vulnerability in Chrome that a researcher found during a hacking competition in Japan.
The security researcher known as Pinkie Pie demonstrated his findings on a Samsung Galaxy S4 and a Nexus 4. The security hole found by Pinkie Pie on Chrome for Android also impacts the Stable version of the web browser. Google updated the Android and the Stable Chrome version to fix the vulnerability.
The vulnerability Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through research and responsible disclosure. It’s the sister contest to Hewlett-Packard’s Zero Day Initiative Pwn2Own contest.
As it turns out, Google shipped the updates only hours after the researcher defeated Chrome in the second day of the competition.
The exploit developed by the hacker takes advantage of two Chrome flaws: An integer overflow, and a bug that can end up leveraged for a full sandbox escape, according to HP.
In order for the attack to be successful, the attacker must convince the victim to visit a website that stores the exploit. In a successful attack, the hacker can remotely execute arbitrary code on the targeted device.
Google catalogues CVE-2013-6632 as “multiple memory corruption issues.” However, the exact details will not be available until most users have updated their installations.
For his findings, Pinkie Pie won $50,000. Of this amount, $40,000 represents the top prize for the Mobile Web Browser category. The extra $10,000 is the prize from Google to the one who could hack Chrome on Galaxy S4 or Nexus 4.
BlackBerry and Google sponsored this year’s Mobile Pwn2Own.
It’s worth highlighting that the security hole identified by the researcher is critical, which means users should update their Chrome browsers as soon as possible.