Prolific bug hunter Guang Gong has earned the highest-ever payout for a vulnerability in the history of Google’s Android Security Rewards program, which began in 2015.
He earned a combined $112,500 for the disclosure of an Android exploit chain impacting Google’s Pixel handset that could allow an attacker to inject arbitrary code via a malicious URL accessed via the phone’s Chrome browser.
Gong, a researcher with Qihoo 360’s Alpha Team, earned $105,000 via Google’s Android Security Rewards program and a bonus $7,500 through the Chrome Rewards program. Google said the issues were patched as part of its December 2017 monthly security update.
The exploit chain included CVE-2017-5116 and CVE-2017-14904, both rated as “high” severity bugs by the Common Vulnerability Scoring System.
The first vulnerability (CVE-2017-5116) is a V8 engine type confusion bug that allows “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML,” according to the MITRE description. The second flaw (CVE-2017-14904) is “a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox,” according to a description in an Android Developers Blog.
“Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome,” Google wrote.
> Gong Guang from 360 Alpha Team succeeded in exploiting Google Pixel in #PwnFest2016 #POC2016. pic.twitter.com/a2jnJDR8w6
>
> — vangelis (@vangelis_at_POC) November 11, 2016
For years Gong, and Alpha Team, have been successful bug hunters discovering copious vulnerabilities in the Android ecosystem. At the 2016 PwnFest hacker contest Gong was awarded $120,000 in prize money by event sponsors for exploiting a zero-day vulnerability in Google’s Pixel phone in less than 60 seconds.
The largest-ever payout by the Android Security Rewards program comes on the heels of a decision by Google to increase the maximum bounty payouts for kernel exploits from $30,000 to $150,000 remote kernel exploit and $50,000 to $200,000 for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise.
android-developers.googleblog.com/2017/06/2017-android-security-rewards.html
android-developers.googleblog.com/2018/01/android-security-ecosystem-investments.html
nvd.nist.gov/vuln/detail/CVE-2017-14904
nvd.nist.gov/vuln/detail/CVE-2017-5116
source.android.com/security/bulletin/2017-12-01
t.co/a2jnJDR8w6
twitter.com/hashtag/POC2016?src=hash&ref_src=twsrc%5Etfw
twitter.com/hashtag/PwnFest2016?src=hash&ref_src=twsrc%5Etfw
twitter.com/vangelis_at_POC/status/796974873822130176?ref_src=twsrc%5Etfw
www.google.com/about/appsecurity/chrome-rewards/