Chromebook exploit earns researcher second $100k bounty

For Google’s bug bounty accountants, lightning just struck twice.

In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks.

Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS.

By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.”

More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?

By Chromebook standards the latest issue is a biggie: an exploit chain comprising an impressive five CVE vulnerabilities that would allow an attacker to remotely pwn the system via a web page.

Rated as high severity, these are: an out of bounds memory access in Chrome’s V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection in network_diag (CVE-2017-15403), a symlink traversal in crash_reporter (CVE-2017-15404), and a symlink traversal in cryptohomed (CVE-2017-15405).

Anyone running the stable channel who turned on their Chromebook or Chromebox on or after 27 October would have received an automatic update to version 62.0.3202.74 (or later) so the issue can be fixed by nothing more taxing than a 10-second reboot.

That update, incidentally, also fixed another high-priority flaw, CVE-2017-15400, as well as cured the cascade of Wi-Fi vulnerabilities making up KRACK.

Which all goes to show that while the Chrome OS has suffered far fewer flaws than the “full service” Windows and Apple platforms it would like to supplant, it doesn’t suffer from no flaws at all.

And the number of flaws seems to be increasing as the platform gets more attention.

A few weeks back, the platform was caught by a critical vulnerability (CVE-2017-15361) found in Infineon Trusted Platform Modules (TPMs), rapidly fixed by an update. That issue also affected many PCs, but because Chromebooks use TPMs by design they were smack in the firing line.

Not to mention, there’s also been angst about the small but expanding number of mainly nuisance Chrome extensions – like cryptocurrency miners, adware and web redirectors – targeting the platform’s users from inside Google’s Web Store.

But let’s return to the notion that the bug bounty program is paying off for Google.

A turning point was the record $150,000 Google handed to “celebrity” hacker George Hotz for finding a clutch of high-severity ChromeOS flaws at Google’s Pwnium event held during CanSecWest 2014.

By the time Google turned Pwnium into a year-round bounty programme, lightbulbs lit up inside Google at the PR possibilities. Nowadays you can hardly move for the company’s bounty programmes.

There’s even one to pay people to tell Google about rogue apps inside its Play Store, something the company has been having trouble stopping on its own.

Bug bounties have come a long way since the days a decade ago when critics convinced themselves that offering money for flaws might result in a bidding war won by criminals which, of course, was going to happen anyway.

For Google and others, it’s become a cost-effective way to crowdsource vulnerabilities without having to employ expensive researchers to do it full time.

Google particularly likes bug bounties for Chrome OS because it draws attention to how easy (automated and rapid deployment, installation on mirrored partition) the whole patching and update cycle is on Chromebooks compared to Windows PCs.

Chromebooks aren’t invulnerable. But at least when flaws strike, it’s Google’s problem to worry about, not the users.