PWN to OWN: Hack a Mac, Win a Macbook Pro and $10000

CanSecWest Conference Last week, US IT security corporation TippingPoint offered $10000 to the first person who would be able to hack into one of their Macbook Pro located at the CanSecWest conference. People interested in participating only had to present themselves at the conference and bust into one of the two designated laptops. Both machines, which were available via Wi-Fi or Ethernet, had all the latest updates from Apple installed.

We’ve announced that we will be having a contest “PWN to OWN” where two, pimp, loaded up, Apple Macbook Pro’s will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can’t use the same vuln on both.) If they survive the three days in the “jungle,” they become prizes for best lightning talk and best speaker. Detailed contest rules to follow shortly (Source: CanSecWest)

Originally, TippingPoint had decided to give away one of the 2 laptops to the victor of the challenge, but finally, they chose to increase the stake by offering an additional prize of $10000 on top of the existing one.

The competition ended only 9 hours after it started when Shane Macaulay and Dino Dai Zovi, a software engineer and security researcher, were able to find and exploit a new vulnerability that took advantage of an open Safari browser window.

“A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple’s Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest “pwn-2-own” contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.

The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program. More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines.”

Yes folks, this only proves one thing: the unbeatable Mac security that Apple users have been boasting about for years has always been a myth.

(via The Register)