Researchers at the annual Pwn2Own hacking contest found two zero day exploits in Apple’s Safari browser this week. A zero day is a software vulnerability that no one knows about, and the software vendor has had zero days to prepare and fix it. Zero days are highly coveted by individual hackers, criminal organizations, and governments alike.
This marks the 10th anniversary of Pwn2Own, a gathering where hackers and researchers compete in challenges to find security holes in popular software and mobile devices. This year, two Safari zero days were found by the white-hat hackers.
Safari Zero Days
In Pwn2Own 2017, eleven hacking teams competed for a one million dollar prize. Two different teams were able to find and exploit two security holes in Safari. One team—Chaitin Security Research Lab—rigged together an exploit that used six separate bugs. They were able to elevate their user access to root level on macOS, which netted them US$30,000.
Samuel Groß and Niklas Baumstark exploited five bugs and displayed a message on the 2016 MacBook Pro’s Touch Bar. They won US$28,000. Per usual, these Safari zero days will be given to Apple, so the company can fix them before the details are made public.