Safari, Chrome and Samsung Galaxy S4 taken down in Mobile Pwn2Own

Results from the second annual Mobile Pwn2Own competition ending today at PacSec Applied Security Conference in Tokyo, Japan, are in: the successful compromises include Samsung Galaxy S4 in the OS category, and Safari and Chrome in the mobile browser category.

The Chinese Keen Team (from Keen Cloud Tech) has shown two separate Safari exploits that allowed them to capture Facebook credentials on iOS version 7.0.3 and steal a photo on iOS version 6.1.4.

“The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised,” explained Heather Goudey, senior security content developer at HP (the company whose Zero Day Initiative is behind the contest).

The second was also a Safari exploit that took advantage of vulnerabilities in the application’s permission model, and also required user interaction (a click on a link). The researchers raked in $27,500 in rewards – it would have been more if they targeted and managed to compromise the sandbox.

Japanese Team MBSD (from Mitsui Bussan Secure Directions) came up with a a series of exploits targeting different default applications on Samsung Galaxy S4, and managed to chain them together in order to secretly install a malicious data-stealing app on the device. The app was able to exfiltrate data such as contacts, bookmarks, browsing history, SMS messages, and so on. It’s also good to know that for the exploits to work, targeted users are nor required to click on a link, but must simply be lured to visit a specially crafted website.

“The implications for this exploit are worrisome. While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to “click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop,” Goudey pointed out. “The message here, however, is clear – mobile platforms are vulnerable to the same or very similar methods of malware distribution that plague the desktop and you would be wise to take heed.”

The prize that the Japanese team took home amounts to $40,000.

On day two of the contest, a teenage security researcher that goes by the alias “PinkiePie” and who has already successfully competed in last year’s Pwn2Own, has succeeded in compromising Chrome first on a Nexus 4 and then on a Samsung Galaxy S4.

“The exploit took advantage of two vulnerabilities – an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape,” shared Goudey. “The implications for this vulnerability are the possibility of remote code execution on the affected device.”

As in previous demonstrated attacks, users are required to click on a malicious link in order for the attack to succeed. According to the set prizes, PinkiePie is going home with $50,000 in his pocket.

As defined by the rules, the companies behind the vulnerable browsers, operating systems and devices have received the details of the exploited vulnerabilities, and will hopefully patch them quickly.