Researcher blows $15K by reporting bug to Google

Reported an Android Market flaw that would have won him top-dollar at Pwn2Own

A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.

"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security , a developer of two-factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."

Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337.

But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.

Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest -- the first to hack each of the four smartphones receives $15,000 -- and because Oberheide had a working exploit, he was almost guaranteed the money.

"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."

Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.

According to Oberheide, the Android Market -- Google's official app store -- contained an XSS vulnerability in the e-mart's Web site. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.

"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."

An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.

"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."

Although Oberheide was slated to try his hand at Pwn2Own for the first time, he has experience finding flaws in Android Market. Last June, he published a pair of apps to the e-store as part of his research into vulnerabilities that let attackers push malware to Android phones.

Then, Google yanked the apps from the Market and triggered its "kill switch" that automatically uninstalled the programs from users' phones, saying that Oberheide had "intentionally misrepresented their purpose in order to encourage user downloads."

Google threw the kill switch for only the second time last weekend when it started to delete more than 50 malware-infected apps from Android phones.

Oberheide immediately reported his newest XSS bug to Google, a move he now has cause to regret. "I didn't think it would qualify for Pwn2Own...and even if it did qualify, it was such low-hanging fruit it probably wouldn't survive until the contest," he said.

Turns out, neither assumption was correct.

"I should have waited until I heard from Pwn2Own whether it qualified for the contest," he said Monday. "If I had just waited 24 hours before reporting it to Google.... So yeah, I killed my own Pwn2Own bug."

Google patched the XSS vulnerability in Android Market a week ago.

Yesterday, Oberheide said he had tentatively canceled his participation at Pwn2Own. "Unless I can dig up a new XSS in the Android Market, I won't be playing," he said. He's been unsuccessful so far in his hunt for a new vulnerability.

Pwn2Own, which is sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, runs March 9-11, and offers $125,000 in cash prizes to researchers who hack into the four biggest browsers and four smartphones, each of the latter running a different mobile operating system.

Oberheide's final word to researchers who want to learn a lesson from his experience?

"Don't be stupid with your disclosures," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags consumer electronicsGoogleMobile Apps and ServicessecuritysmartphonesPhonesMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?