The Pwn2Own 2021 hacking competition reached the end, participants earned more than $1.2 million which is more than ever paid out at this contest.
White hat hackers demonstrated exploits for Safari, Chrome, Edge, Windows 10, Ubuntu, Microsoft Teams, Zoom, Parallels, Oracle VirtualBox, and Microsoft Exchange, for a total of 23 attempts.
Only Oracle VirtualBox was not hacked, experts demonstrated working exploits for all the other products.
The participants already shared their exploits with the vendors which have 90 days to address all vulnerabilities reported.
In Day 3, four attempts achieved partial successes and other four were successful. Hackers demonstrated working exploits against Parallels Desktop, Ubuntu Desktop, and Windows 10.
None of the above successes received a payout of more than $40,000.
The highest reward for this edition was $200,000 that was paid out to team Devcore for an exploit for Exchange server obtained by chaining authentication bypass and local privilege escalation flaws, Daan Keuper and Thijs Alkemade from Computest for a zero-click Zoom exploit, and the researcher OV for a Microsoft Teams exploit.
Trend Micro’s Zero Day Initiative (ZDI), which is the organizer of the Pwn2Own 2021, confirmed that participants earned a total of $1,210,000 of the $1.5 million prize pool. This is the highest total of ever, in 2020, participants earned $270,000 for their exploits, while in 2019 they earned $545,000.
You can find detailed chronicle of Day 1 and Day 2 at the following links:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Hades ransomware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.