Researcher Earns $100,000 for Reporting a Chrome OS Exploit Chain to Google 


Google has awarded a security researcher $100,000 for discovering and reporting a bug in the Chrome OS - Google's operating system for Chromebox and Chromebooks. Back in 2015, the company had first promised to offer up to $100,000 in bug bounties for an exploit(s) that could lead to persistent compromise of a Chromebook in guest mode. This isn't, however, the first time that such a big bounty has been awarded by the search giant. The same researcher was previously rewarded with $100,000 in bounties for identifying similar Chrome OS vulnerabilities.

Chrome OS flaws led to persistent code execution

"We have a standing $100,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page)," Google says in its Chrome Reward Program Rules.

In a Surprise to No One, Report Reveals That Bug Hunters Are Making Some Big Bucks

Security researcher, Gzob Qq (online moniker) recently posted details of a flaw (or a series of them) that was first reported to the company on September 18. Gzob Qq had found a number of vulnerabilities that could lead to persistent code execution on Chrome OS. SecurityWeek reports that the series of exploits that led to persistent code execution includes five vulnerabilities in total:

  1. An out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401)
  2. Privilege escalation in PageState (CVE-2017-15402)
  3. Command injection flaw in the network_diag component (CVE-2017-15403)
  4. Symlink traversal issues in crash_reporter (CVE-2017-15404),
  5. and cryptohomed (CVE-2017-15405).

The company received a proof of concept of this exploit chain working on Chrome OS version 9592.94.0. Google has now patched all these reported vulnerabilities, with the latest Chromium entry where the researcher first disclosed this exploit chain for persistent code execution being made public earlier this week. The patches were made available on October 27 with the release of Chrome OS 62 (platform version 9901.54.0/1) that notably also included fixes for the KRACK vulnerabilities.

For their work, the researcher has been awarded a big pay check of $100,000. The same researcher has previously also managed to earn $100K in rewards when they had reported a similar Chrome OS exploit chain.

- More technical details of this exploit chain are available here.