As early as 2015, Google decided to “raise rates” and said that it would pay $ 100,000 to a specialist who will be able to create and demonstrate a chain of exploits that ensures a steady compromise of Chromebox or Chromebook through a web page in guest mode. Let me remind you that before that, the company offered $ 50,000 for such a proof-of-concept.
Last week, it became known that as early as September 2017, an IS specialist known as Gzob Qq discovered a number of vulnerabilities that allow for a persistent compromise of Chromebox or Chromebook devices while respecting the rest of the “task” conditions.
The expert demonstrated to Google engineers a working proof-of-concept exploit, which was tested on Chrome 60 and Chrome OS version 9592.94.0. As a result, at the end of October, with the release of Chrome OS 62 version 9901.54.0 / 1, the problems found by the researcher were eliminated, along with the recently discovered vulnerability of KRACK.
As it turned out, back in October, the expert was informed that he was receiving a Pwnium reward of $ 100,000. But details about the attack and individual vulnerabilities were revealed only last week, and now a detailed report of Gzob Qq is available here.
It is worth noting that this is not the first time that Gzob Qq receives such a large reward for exploits and bugs.So, a year ago, he already received the same big award from Google, having demonstrated a very similar PoC-chain of exploits for Chrome OS.