A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market.
"I missed out money wise," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two factor authentication software. "But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty."
Google, which pays bounties for bugs reported in its software, cut a check to Oberheide for $1,337. But Oberheide could have used the same bug to walk off with a $15,000 cash prize at Pwn2Own, the hacking challenge that starts Wednesday in Vancouver, British Columbia as part of the CanSecWest security conference.
Oberheide was slated as the first in line to tackle the Samsung Nexus S phone and its Android mobile operating system. Because Pwn2Own is a winner-take-all contest, the first to hack each of the four smartphones receives $15,000, and because Oberheide had a working exploit, he was almost guaranteed the money.
"It was a plain-vanilla and unsophisticated XSS [cross-site scripting] bug, as simple as simple can be," said Oberheide in an interview Monday. "But while the vulnerability was trivial, the impact was fairly significant."
Oberheide had uncovered a bug in Google's Android Market that allowed attackers to force Android phones to download and install malicious software. All that criminals needed to do was to dupe users into clicking a malicious link, either on their desktop or phone.
According to Oberheide, the Android Market, Google's official app store, contained an XSS vulnerability in the e-mart's website. The site lets Android users not only view and select apps for the smartphones, but also allows them to install new apps directly to their phones while browsing the Market on their desktop.
"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector," Oberheide explained in a detailed blog entry posted Monday. "An attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone."
An attack would have to add an app, perhaps just a non-functional placeholder, to exploit the bug. But that's easy.
"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."
Although Oberheide was slated to try his hand at Pwn2Own for the first time, he has experience finding flaws in Android Market. Last June, he published a pair of apps to the e-store as part of his research into vulnerabilities that let attackers push malware to Android phones.
Then, Google yanked the apps from the Market and triggered its "kill switch" that automatically uninstalled the programs from users' phones, saying that Oberheide had "intentionally misrepresented their purpose in order to encourage user downloads."
Google threw the kill switch for only the second time last weekend when it started to delete more than 50 malware infected apps from Android phones.
Oberheide immediately reported his newest XSS bug to Google, a move he now has cause to regret. "I didn't think it would qualify for Pwn2Own... and even if it did qualify, it was such low-hanging fruit it probably wouldn't survive until the contest," he said. Turns out, neither assumption was correct.
"I should have waited until I heard from Pwn2Own whether it qualified for the contest," he said Monday. "If I had just waited 24 hours before reporting it to Google... so yeah, I killed my own Pwn2Own bug." Google patched the XSS vulnerability in Android Market a week ago.
Yesterday, Oberheide said he had tentatively cancelled his participation at Pwn2Own. "Unless I can dig up a new XSS in the Android Market, I won't be playing," he said. He's been unsuccessful so far in his hunt for a new vulnerability.
Pwn2Own, which is sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, runs March 9-11, and offers $125,000 in cash prizes to researchers who hack into the four biggest browsers and four smartphones, each of the latter running a different mobile operating system.
Oberheide's final word to researchers who want to learn a lesson from his experience?
"Don't be stupid with your disclosures," he said.