Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest

by

Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS.


This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day affair that spans multiple hours a day, this year's Pwn2Own event was livestreamed on YouTube.

Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below.


Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.

A serious Zoom flaw was demonstrated by Dutch researchers Daan Keuper and Thijs Alkemade, for example. The duo exploited a trio of flaws to get total control of a target PC using the Zoom app with no user interaction.


Pwn2Own participants received more than $1.2 million in rewards for the bugs they discovered. Pwn2Own gives vendors like Apple 90 days to produce a fix for the vulnerabilities that are uncovered, so we can expect the bug to be addressed in an update in the not too distant future.

Tag: Safari

Top Rated Comments

antiprotest Avatar
antiprotest
7 months ago
Please set up a reward for fixing iCloud Tabs sync. Apparently the people at Apple cannot do it after like a decade.
Score: 16 Votes (Like | Disagree)
mistasopz Avatar
mistasopz
7 months ago

The Chinese government is run by Chinese. And yes, if you signaling out Chinese government, you are basically saying Chinese are cheaters and Chinese are theft.

But every government in the world do spy on each other, stealing information etc.
That's some pretty loopy logic there. If I criticise the Canadian government am I racist towards Canadians (after all it's run by Canadians)? Of course not, what ridiculousness. There are 1.4 billion Chinese people and being critical of their leadership is not the same thing as hating 1.4 billion people because of their ethnicity. And if you think you think they are your friend, you better read up on your own history (Nortel IP theft for example).
Score: 9 Votes (Like | Disagree)
mistasopz Avatar
mistasopz
7 months ago

Aren’t you are being racist when you single out Chinese government?
The Chinese government is not a race.
Score: 9 Votes (Like | Disagree)
steve217 Avatar
steve217
7 months ago
Given the cost of a breach, $100k is a bargain.
Score: 7 Votes (Like | Disagree)
BWhaler Avatar
BWhaler
7 months ago
I always worry given Zoom’s ties to China and the slip-shot way they went for growth above all, if some of these “flaws” are actually backdoors.

As convienent and pervasive as Zoom is, no way I would trust it if I was a CTO or enterprise security officer.
Score: 5 Votes (Like | Disagree)
T Coma Avatar
T Coma
7 months ago
Ah yes, the old integer overflow and OOB write trick. Classic.
Score: 3 Votes (Like | Disagree)
Read All Comments

Related Stories

zoom app icon

Apple Gave Zoom Access to Special API to Use iPad Camera During Split View Multitasking

Sunday May 9, 2021 2:00 am PDT by
Zoom, a hallmark platform used by millions during the global health crisis, has been given access to a special iPadOS API that allows the app to use the iPad camera while the app is in use in Split View multitasking mode. This case of special treatment was first brought to attention by app developer Jeremy Provost, who, in a blog post, explains that Zoom uses a special API that allows the...
Read Full Article376 comments
misaligned iphone 11 pro apple logo

Images Depict 'Extremely Rare' iPhone 11 Pro With Misaligned Apple Logo

Monday April 12, 2021 2:34 am PDT by
Apple has in place stringent quality control standards on the assembly line floor to prevent mistakes in production, but that doesn't mean they don't happen. Images shared on Twitter reveal an iPhone 11 Pro with a misaligned Apple logo on the back of the device, a misprint that is said to be as rare as 1 in a million. The images, posted by Internal Archive, clearly show the Apple logo is ...
Read Full Article49 comments
firefox 89

Firefox 89 for Mac Released With Cleaner Design, Multi-Touch Zoom, and More

Tuesday June 1, 2021 10:11 am PDT by
Mozilla today announced the public release of Firefox 89 for macOS with a redesigned and modernized core browsing experience. The latest version of the browser features a simplified toolbar with less frequently used items removed, allowing the focus to be on the most important navigation items. Menus and prompts have also been streamlined across Firefox to have cleaner designs and clearer...
Read Full Article135 comments
microsoft to do feature

Microsoft To Do App Ends Support for iOS 12, Now Requires iOS 13 or Later

Tuesday April 6, 2021 1:55 am PDT by
In its latest App Store update, Microsoft To Do has ended support for iOS 12 and older, officially requiring that all users must be running iOS 13 or later in order to receive app updates. Microsoft To Do rose to popularity last year following the closure of Wunderlist and Microsoft's acquisition of the company. Since then, Microsoft To Do has been playing catch-up in attempting to keep...
Read Full Article22 comments
Apple vs Microsoft feature

Rivalry Between Apple and Microsoft Heating Up Again Over Augmented Reality, Gaming, and More

Friday May 14, 2021 11:04 am PDT by
The iconic and industry-classic rivalry between Apple and Microsoft, which has arguably seen a slowdown in recent years, is poised to begin heating up as both companies target the future of augmented reality and renewed competition in the PC industry, according to an analysis from Bloomberg's Mark Gurman. Both Apple and Microsoft have strong ambitions for the future of augmented reality....
Read Full Article64 comments
maxresdefault

Samsung Pokes Fun at iPhone 12 Pro Max's Lack of 100x Digital Zoom in New Ad

Monday May 24, 2021 6:05 am PDT by
In a new ad, Samsung is poking fun at the iPhone 12 Pro Max's lack of 100x zoom compared to its flagship Samsung Galaxy S21 Ultra. In an ad posted late last week titled "Space Zoom," an iPhone 12 Pro Max and Samsung Galaxy S21 Ultra can be seen taking a photo of the moon in total darkness. The iPhone 12 Pro Max zooms in at its max 12x ability, while the Samsung Galaxy S21 Ultra gets a closer ...
Read Full Article131 comments
apple event hashflag

Twitter Hashflag for April 20 Apple Event Goes Live

Tuesday April 13, 2021 2:21 pm PDT by
Following the overnight Siri leak and subsequent announcement that Apple will hold a media event on Tuesday, April 20, a new Twitter hashflag has appeared to help provide visibility for the event on the platform. For the last several recent events, Apple has utilized hashflags, which are little icons next to hashtags on Twitter, as a way to market its events. The company first started the...
Read Full Article85 comments
Twitter Feature

Twitter's 'Blue' Subscription Service May Cost $2.99, Will Offer Undo Tweet Option

Saturday May 15, 2021 11:08 am PDT by
Twitter has been working on some kind of subscription service since last summer, and Jane Manchun Wong, who often digs into new features coming in apps, has shared details on just what Twitter is exploring. Twitter's subscription service could be called Twitter Blue, and at the current time, it's priced at $2.99 per month. There will be a "Collections" section that allows users to save and...
Read Full Article120 comments
macOS Big Sur Feature Blue

Update to macOS 11.4 NOW - Someone Could Be Spying On You

Sunday May 30, 2021 9:40 am PDT by
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately. Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...
Read Full Article
microsoft xcloud devices

Microsoft xCloud Beta for iPhone and iPad to Launch This Week [Updated]

Monday April 19, 2021 7:46 am PDT by
Microsoft has today announced that it will launch its browser-based Xbox Cloud Gaming service in beta to selected testers on iPhone and iPad tomorrow. Starting tomorrow, Microsoft will begin sending out invites to selected Xbox Game Pass Ultimate members to test the Xbox Cloud Gaming limited beta for iPhone, iPad, and Windows 10 PCs using a web browser. Invites will be issued on a continuous ...
Read Full Article73 comments