Researcher blows $15K by reporting bug to Google

Reported an Android Market flaw that would have won him top-dollar at Pwn2Own

A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.

"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security , a developer of two-factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."

Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337.

But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.

Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest -- the first to hack each of the four smartphones receives $15,000 -- and because Oberheide had a working exploit, he was almost guaranteed the money.

"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."

Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.

According to Oberheide, the Android Market -- Google's official app store -- contained an XSS vulnerability in the e-mart's Web site. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.

"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."

An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.

"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."

Although Oberheide was slated to try his hand at Pwn2Own for the first time, he has experience finding flaws in Android Market. Last June, he published a pair of apps to the e-store as part of his research into vulnerabilities that let attackers push malware to Android phones.

Then, Google yanked the apps from the Market and triggered its "kill switch" that automatically uninstalled the programs from users' phones, saying that Oberheide had "intentionally misrepresented their purpose in order to encourage user downloads."

Google threw the kill switch for only the second time last weekend when it started to delete more than 50 malware-infected apps from Android phones.

Oberheide immediately reported his newest XSS bug to Google, a move he now has cause to regret. "I didn't think it would qualify for Pwn2Own...and even if it did qualify, it was such low-hanging fruit it probably wouldn't survive until the contest," he said.

Turns out, neither assumption was correct.

"I should have waited until I heard from Pwn2Own whether it qualified for the contest," he said Monday. "If I had just waited 24 hours before reporting it to Google.... So yeah, I killed my own Pwn2Own bug."

Google patched the XSS vulnerability in Android Market a week ago.

Yesterday, Oberheide said he had tentatively canceled his participation at Pwn2Own. "Unless I can dig up a new XSS in the Android Market, I won't be playing," he said. He's been unsuccessful so far in his hunt for a new vulnerability.

Pwn2Own, which is sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, runs March 9-11, and offers $125,000 in cash prizes to researchers who hack into the four biggest browsers and four smartphones, each of the latter running a different mobile operating system.

Oberheide's final word to researchers who want to learn a lesson from his experience?

"Don't be stupid with your disclosures," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitysmartphonesGooglePhonesconsumer electronicsMalware and VulnerabilitiesMobile Apps and Services

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?