Chromebook exploit earns researcher second $100k bounty

By John E Dunn

November 22, 2017

For Google’s bug bounty accountants, lightning just struck twice.

In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks.

Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS.

By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.”

More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?

By Chromebook standards the latest issue is a biggie: an exploit chain comprising an impressive five CVE vulnerabilities that would allow an attacker to remotely pwn the system via a web page.

Rated as high severity, these are: an out of bounds memory access in Chrome’s V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection in network_diag (CVE-2017-15403), a symlink traversal in crash_reporter (CVE-2017-15404), and a symlink traversal in cryptohomed (CVE-2017-15405).

Anyone running the stable channel who turned on their Chromebook or Chromebox on or after 27 October would have received an automatic update to version 62.0.3202.74 (or later) so the issue can be fixed by nothing more taxing than a 10-second reboot.

That update, incidentally, also fixed another high-priority flaw, CVE-2017-15400, as well as cured the cascade of Wi-Fi vulnerabilities making up KRACK.

Which all goes to show that while the Chrome OS has suffered far fewer flaws than the “full service” Windows and Apple platforms it would like to supplant, it doesn’t suffer from no flaws at all.

And the number of flaws seems to be increasing as the platform gets more attention.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement