The 2020 spring edition of the Pwn2Own hacking competition has ended, with Team Fluoroacetate being crowned this year’s winner as it scored nine Master of Pwn points. Pwn2Own is a computer hacking contest held every year at the CanSecWest security conference. The event was initiated in 2007 and the contest is held twice every year, the last one was held in November 2019. Contestants at the Pwn2Own contest are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. This year’s Pwn2Own was the first time the hacking contest was hosted online. The participants sent their exploits to Pwn2Own organisers in advance, who ran the code during a live stream with all participants present.
The winning Team Fluoroacetate consists of two security researchers named Amat Cama and Richard Zhu, who won the contest by scoring nine points across the two-day competition, a two-point lead over the runners up, Georgia Tech Systems and Security Lab team. This is Team Fluoroacetate’s fourth Pwn2Own victory in a row, according to a ZDNet report.
The report said that during this iteration of the Pwn2Own contest, six teams managed to hack into apps and operating systems like Windows, macOS, Ubuntu, Safari, Adobe Reader, and Oracle VirtualBox. All bugs exploited during the contest were also reported to the respective company’s immediately.
Following are the results of every team’s efforts:
- The Georgia Tech Systems Software and Security Lab, the runners up of the competition targeted Apple’s Safari browser with a macOS kernel escalation of privilege. The team used a six-bug exploit chain to pop the calculator app on MacOS and escalate its access rights to root. The team earned a $70,000 reward and 7 Master of Pwn points.
- The winning team, Fluoroacetate’s member targeted Microsoft Windows with a local privilege escalation. Their exploit was also reported successful and earned them a $40,000 reward, along with 4 Master of Pwn points.
- A member from the RedRocket CTF Team targeted Ubuntu Desktop with a local privilege escalation. The hacker used an improper input validation bug to escalate privileges. He earned a reward of $30,000 and 3 Master of Pwn points.
- The winning team Fluoroacetate targeted Microsoft Windows with a local privilege escalation as well. This won them $40,000 separately along with 4 more Master of Pwn Points.
- The Fluoroacetate team also targeted Adobe Reader with a Windows local privilege, which was also successful, earning them 5 more Master of Pwn points and $50,000 more.