Security News > 2021 > April > Chrome Zero-Day Exploit Posted on Twitter

A researcher has dropped working exploit code for a zero-day remote code execution vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.

Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet.

Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the exploit code for a type mismatch bug during last's week's contest, and used it to successfully exploit the Chromium vulnerability to run malicious code inside Chrome and Edge.

The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal's post on Monday.

While the exploit code that Agarwal posted does indeed allow an attacker to run malicious code on a user's operating system, he apparently was not unscrupulous enough to post a fully weaponized version of the code, according to The Record - he did not post a full exploit chain that would allow sandbox escape.

The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards - with $1.5 million in total prize money at stake - for each successful exploit from the contest's sponsors as well as points towards the overall ranking.

News URL

https://threatpost.com/chrome-zero-day-exploit-twitter/165363/