Why Google awards Rs 71 lakh to this developer ? - Jan 2018 News

[Sudhakar]

Why Google awards Rs 71 lakh to this developer ? - Jan 2018 latest update

The search engine giant, Google has rewarded $112,500 (Rs 71.83 lakh) to a developer for reporting a serious Android bug. This is the highest reward offered by the Google in its history.

An exploit chain reported by the security researcher could compromise the security of Google's Pixel devices. Guang Gong of Alpha Team from Qihoo 360 Technology Co Ltd submitted the first working prototype of the exploit in August 2017. Google offered an immediate reward of $105,000 (Rs 67.04 lakh) for the detailed report and an additional $7500 (Rs 4.78 lakh) by Chrome Rewards program, making it to the total of $112,500 (Rs 71.83 lakh).

Guang Gong discovered a remote exploit chain in Pixel phone along with his Alpha Team from Qihoo 360 Technology Co Ltd. Since the Pixel Phone is protected by layers of security, Gong was surprised with this discovery. Pixel is probably the only device that was pwned in 2017 Mobile Pwn2Own competition.

Google acknowledged the exploit chain and codenamed them as, CVE02917-5116 and CVE-2017-14904. The first identified vulnerability is a V8 engine type confusion bug. It can further lead to remote code execution in sandboxed Chrome render process environments.

The second flaw is identified in Android's libgralloc module. The flaw can be used to escape from Chrome's sandbox. The map and unmap mismatch lead to the execution of this bug. If both the vulnerabilities are combined, an attacker can remotely inject a malicious code into a targeted Pixel phone. The injected code in the system_server process executes when a malicious URL is launched in the Chrome browser.

If the targeted users open the URL, their devices can be compromised. A remote attacker can hijack the data and even use the device's hardware for surveillance. This is a major vulnerability and probably first working remote exploit chain submitted through Android Security Rewards (ASR) program till the date.

The company has patched the bugs in December's security update. The monthly update patches a total of 42 bugs. All Pixel users and partner devices will automatically install these updates. The user has to restart to complete the installation of these bug patches.

Google has increased the bug bounty payouts for its Android Security Rewards (ASR) program. The company has worked closely with the researchers to streamline the process recently. The developers and security researchers from around the world can submit their findings of Android exploits, vulnerabilities under Android Security Rewards (ASR) program.

- Rajat Kabade

Source : https://www.techgig.com/tech-news/Why-Google-awards-Rs-71-lakh-to-this-developer-152853