The Pwn2Own security competition, which encourages experts to demonstrate security breaches in various types of software and hardware, ended this year's "Canadian" edition with something new: because of the new coronavirus pandemic, participants held their demonstrations remotely, for Internet.
The demonstrations had remote access to a system provided by the competition with webcams featuring the faces of the competitors. In the two days of dispute, the experts demonstrated 13 security breaches and received a total of US $ 270 thousand (about R $ 1.35 million) in prizes.
Failures have been demonstrated in Adobe Reader, Safari (Apple's web browser) and Oracle VirtualBox. Operating systems were also unharmed, and researchers were able to exploit vulnerabilities in Windows, macOS and Ubuntu Linux, often to increase access gained through one of the other flaws.
In an attack against Safari on macOS, for example, experts at Georgia Tech Systems Software & Security Lab chained six vulnerabilities in sequence to turn a web page into a program with full access to the operating system.
Even with the opening of the competition for remote participants, the victory went to a renowned Pwn2Own duo, Fluoroacetate. Formed by experts Amat Cama and Richard Zhu, Fluoroacetate has won the competition three more times – including the Tokyo and Canada editions in 2019.
Pwn2Own has been held since 2007. Its first edition took place at the CanSecWest security conference in Canada. The competition won an edition in Tokyo in 2013 and one in Miami in 2019. When it opened, Pwn2Own caused a lot of controversy with the offer to deliver the hardware (a MacBook) to the researcher who could demonstrate an attack.
In 2007, it was unusual for researchers to receive any kind of award for finding and demonstrating security breaches. Pwn2Own was part of the change in this scenario – today, many companies have incentive programs that reward specialists willing to find and report flaws in their products.
But there is a condition: the researcher cannot publicly disclose the breach, so that those responsible can correct the problem before hackers can take advantage of it.
Questions about security, hackers and viruses? Send to email@example.com