Advertisment

Google awards researcher $110K for Pixel exploit

author-image
CIOL Writers
New Update
Google is acquiring light-field camera startup Lytro for $40M

Google has awarded a total of $112,500 to a security researcher for his discovery of a critical remote exploit chain that affected Google Pixel devices.

Advertisment

Chinese security researcher with Qihoo 360 Technology, Guang Gong reported the bugs to Google through its Android Security Rewards programme last August, and the issues were fixed in the December 2017 security update. The tech giant revealed the technical details of the exploit chain on Wednesday.

The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. The first vulnerability is a V8 engine type confusion bug which can be utilized for remote code execution in sandboxed Chrome render process environments.

The second security flaw is found in Android's libgralloc module and can be used to escape from Chrome's sandbox due to a map and unmap mismatch, which can, in turn, prompt a Use-After-Unmap error. Together, these bugs can be leveraged to inject code into the system_server process by opening a malicious URL in Chrome.

Pixel users clicking on such a link in Chrome could have had their devices compromised, which could include additional harmful software downloads or the theft of personal information. Google says the find is the first working remote exploit chain submitted through the program to date.

Gong was awarded $105,000 for his report, with an additional bonus of $7500 through the Chrome Rewards program.

google cyber-security