from the easy-money dept.
Those of you who follow my reporting may already be familiar with Pwn2Own, a series of hacking events that test some of the most talented hackers across the world. These elite security researchers have been trying to exploit popular software, hardware and services since 2007 in exchange for the kudos. And money. Lots of money. In November 2019, during the Pwn2Own Tokyo event, a total of $315,000 (£270,300), including one hacking group which earned $80,000 (£68,500) for hacking the Samsung Galaxy S10. Twice. That hacking group was Team Fluoroacetate, Amat Cama and Richard Zhu, who ended up earning a total of $195,000 (£167,000) and the coveted "Master of Pwn" title by the time the event was over. It looked like these master hackers wouldn't be able to defend that title as coronavirus travel restrictions, and fear of infection, threatened to cancel the Pwn2Own 2020 event taking place at the CanSecWest cybersecurity conference in Vancouver, Canada.
They need not have worried, as the event went virtual for the first time. This involved the various hackers submitting exploits in advance to the Pwn2Own organizers, who then ran that code during a Zoom live stream involving all the participants. The Zero Day Initiative that runs the Pwn2Own event said: "The world right now is a tumultuous place full of uncertainty. It is communities, such as the security research community and the incident response community, that we can rely on during these trying times. We are so appreciative of all those who helped the event come together and succeed."
The work from home hackers from Team Fluoroacetate certainly succeeded, winning the Master of Pwn title once again, along with that $130,000 bounty. While the full details of how they exploited Windows 10 and Adobe Reader will not be made public for 90 days to allow the vendors to produce security patches, I can tell you what they did in broad terms.
For the curious, here is Wikipedia's entry on sodium fluoroacetate, a poisonous substance with no known antidote.
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.
Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.
On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.
The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri (@abdhariri) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.
The STAR Labs team (@starlabs_sg) demoed a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.
Synacktiv (@Synacktiv) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.
Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000).
Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.
Throughout the Pwn2Own Vancouver 2023 contest, security researchers will target products in enterprise applications, enterprise communications, local escalation of privilege (EoP), server, virtualization, and automotive categories.
[...] After zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro's Zero Day Initiative publicly discloses them.
During last year's Vancouver Pwn2Own contest, security researchers earned $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days.
Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input
Work from Home Pwn2Own Hackers Make $130,000 in 48 Hours from Windows 10 Exploits
It's March 2018 and Your Windows PC Can Be Pwned By a Web Article