A handful of hackers will leave CanSecWest's security show a little richer than when they arrived after participating in the annual Pwn2Own contest. Charlie Miller, for example, won $10,000 for hacking Safari on a MacBook Pro without having physical access to the rig. You may recall that Miller, a principal security analyst at Independent Security Evaluators, walked away with $5,000 last year for exploiting a hole in Safari, and $10,000 for hacking a MacBook Air in 2008.
Safari wasn't the only software to fall. Peter Vreugdenhil won $10,000 for hacking Microsoft's Internet Explorer 8 browser, while Nils, head of research at UK-based MWR InfoSecurity, collected the same amount for exploiting Firefox on Windows 7-64 bit (Nils declined to provide his last name).
Both Ralf Philip Weinmann and Vincenzo Iozzo will share a $15,000 prize for hacking Apple's iPhone. They did so with an exploit written two weeks ago designed to steal the contents of the SMS database.
"The payload executes and uploads the local SMS database of the phone to the server we control," Weinmann said.
It was a year ago that security researcher Charlie Miller walked away with $10,000 for hacking into a MacBook Air with Safari in just two minutes during the annual Pwn2Own competition, and earlier this month Miller predicted Safari would be the first to fall at this year's event. Miller made good on that promise this week by using a prepared exploit to gain full control of the device in about 10 seconds.
"It's not easy, but this worked with one click [from the Safari browser]", Miller said.
Miller had discovered the exploit last year, which allows a remote attacker to take over a machine if a user clicks on a malicious URL. Details of the exploit, which Miller isn't allowed to divulge, will be shared with Apple from contest sponsor TippingPoint so that Apple can develop a patch.
On the same day, a 25-year-old computer science student at the University of Oldenburg in Germany demonstrated exploits in IE8, Safari, and Firefox, earning him a cool $15,000 ($5,000 per exploit), along with getting to keep the Sony Vaio P series notebook he used (Miller pocketed $5,000 and a MacBook Air).
While three major browsers succumbed to hacking attempts on day one, no mobile exploits have yet been successful. Mobile exploits carry the biggest reward for contest participants, with TippingPoint offering $10,000 for each successful exploit in the major smartphones.