Researcher rewarded under Android Security, Chrome Rewards programmes
Researcher submitted the exploit chain in August 2017
Issues resolved as part of the December 2017 monthly security update
Google has awarded $112,500 (roughly Rs. 71,83,300) to a security researcher for exposing a security flaw in Google Pixel smartphones. Guang Gong, in August 2017 submitted an exploit chain through the Android Security Rewards (ASR) programme. It was the first working remote exploit chain since the search giant has expanded the ASR program. Gong was awarded $105,000 (roughly Rs. 67,04,40), which Google claims is the highest reward in the ASR programme’s history. Additionally, she was awarded $7,500 (roughly Rs. 4,78,900) under the Chrome Rewards program as well.
The technical details of the exploit were revealed by Google on its Android Developer’s blog on Wednesday. The search giant thanked Gong, who is from Alpha Team, Qihoo 360 Technology, and the entire researcher community for finding and responsibly reporting security vulnerabilities. Meanwhile, Google said the complete set of issues was resolved as part of the December 2017 monthly security update, which patched a total of 42 bugs.
The exploit chain covers two bugs – CVE-2017-5116 and CVE-2017-14904. While the first one is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process the latter is is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Google says this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.
Google, through the Android Security Rewards programme, recognises the contributions of security researchers working on Android’s security features. As of October 2017, the smartphones covered under the program include Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C.
In June 2017, Google had increased the ASR payout rewards for remote exploit chain or exploits leading to TrustZone or Verified Boot compromise from $50,000 (roughly Rs. 31,92,600
) to $200,000 (roughly Rs. 1,27,70,300). Through this program, Google has awarded researchers over $1.5 million (roughly Rs. 9,57,77,200) to date, with the top research team earning $300,000 (roughly Rs. 1,91,55,450)for 118 vulnerability reports.