Pwn2Own hackers go remote, then crack macOS and Oracle machines anyway

One team used the calculator app in a macOS as an entrypoint into taking over an entire machine.
Apple MacBook dongles
(Blake Patterson / Flickr)

If any demographic should be set up to work remotely, it’s hackers.

The Pwn2Own hacking contest, in which security researchers earn rewards by uncovering flaws in commercial technology, closed its spring 2020 edition Thursday after participants probed systems like the macOS and Oracle VirtualBox. It’s a premier competition that global technology firms now use to recruit bug hunters who might be able to help protect widely used products.

Unlike prior contests, which have taken place in Vancouver and Miami, organizers conducted much of this tournament online amid the novel coronavirus pandemic.

For participants, it didn’t seem to make much of a difference.


The winning team, called Fluoroacetate, made up of researchers Amat Cama and Richard Zhu, demonstrated ways to crack Microsoft Windows and Adobe Reader with local privilege escalation techniques, in which hackers leverage one flaw to access other areas of an affected system. They won a combined $90,000 for the successful hacks.

In another case, researcher Phi Pham Hong, of Singapore-based Star Labs, won $40,000 for using an out-of-bounds read bug for a data leak, and executing unauthorized code on an Oracle VirtualBox, software that enables virtual machines. A spokesperson declined to share footage of the VirtualBox hack, saying the attempt “reveals too much information about the exploit.”

A team from Georgia Tech Systems Software & Security Lab won $70,000 for using the calculator app in a macOS to access root privileges to the machine, essentially taking control of the device from one of the most innocuous apps.

All bugs were reported to the affected companies immediately, conference organizers said.

Latest Podcasts