Researcher Scores Epic $100K Bug Bounty Payout For Google Chrome OS Exploit Chain

Google has been paying out some significant money to get security researchers and hackers to tear apart its Chrome browser and Chrome OS. In March of 2015, Google offered up $100,000 for anyone who could find an exploit chain that would allow for a persistent compromise of a Chromebox or Chromebook using guest mode via a webpage. That $100,000 offer was an increase from the original $50,000 bounty.

chromebook x360 1

That bounty went unclaimed for many months until a researcher that uses the moniker Gzob Qq notified Google on September 18 that he had identified a set of vulnerabilities in Chrome OS. The hacker was able to identify a series of vulnerabilities that could lead to persistent code execution on Chromebooks and Chromebox devices.

The exploit chain that earned the hacker $100,000 includes the following, "an out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection flaw in the network_diag component (CVE-2017-15403), and symlink traversal issues in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405)," according to SecurityWeek. The full notes on the exploit are noted on the Chromium webpage.

The hacker who discovered the vulnerabilities also created a proof-of-concept exploit with Chrome 60 and on the Chrome OS 62 platform using version 9592.94.0. Before announcing that the hacker had discovered the vulnerabilities, Google first patched them on October 27 when Chrome OS 62 Platform version 9901.54.0/1 was launched. That same patch also fixed the KRACK vulnerability that Chrome OS suffered from.

Qzob Qq was notified on October 11 that he had earned the $100,000 Pwnium reward, which became a year-round program back in February of 2015. Qzob Qq has been making a nice living the last few years from Google bounties. About a year ago the same researcher earned another $100,000 bounty for finding a similar Chrome OS exploit chain. The largest single bounty that Google has ever given out went to George Hotz at $150,000 for a persistent Chrome OS exploit that he found.