It was a year ago that security researcher Charlie Miller walked away with $10,000 for hacking into a MacBook Air with Safari in just two minutes during the annual Pwn2Own competition, and earlier this month Miller predicted Safari would be the first to fall at this year's event. Miller made good on that promise this week by using a prepared exploit to gain full control of the device in about 10 seconds.
"It's not easy, but this worked with one click [from the Safari browser]", Miller said .
Miller had discovered the exploit last year, which allows a remote attacker to take over a machine if a user clicks on a malicious URL. Details of the exploit, which Miller isn't allowed to divulge, will be shared with Apple from contest sponsor TippingPoint so that Apple can develop a patch.
On the same day, a 25-year-old computer science student at the University of Oldenburg in Germany demonstrated exploits in IE8, Safari, and Firefox, earning him a cool $15,000 ($5,000 per exploit), along with getting to keep the Sony Vaio P series notebook he used (Miller pocketed $5,000 and a MacBook Air).
While three major browsers succumbed to hacking attempts on day one, no mobile exploits have yet been successful. Mobile exploits carry the biggest reward for contest participants, with TippingPoint offering $10,000 for each successful exploit in the major smartphones.