Security News

Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance systems, and NAS devices from Canon, Synology, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP. Interrupt Labs security researchers were the first to demo a Samsung Galaxy S23 zero-day in an improper input validation attack, while the ToChim team exploited a permissive list of allowed inputs to hack Samsun's flagship.

Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. Pentest Limited was the first to demo a zero-day on Samsung's flagship Galaxy S23 device by exploiting improper input validation weakness to gain code execution, earning $50,000 and 5 Master of Pwn points.

VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company's Workstation and Fusion software hypervisors. The two flaws were part of an exploit chain demoed by the STAR Labs team's security researchers one month ago, during the second day of the Pwn2Own Vancouver 2023 hacking contest.

Pwn2Own Vancouver 2023 has ended with contestants earning $1,035,000 and a Tesla Model 3 car for 27 zero-day exploited between March 22 and 24. The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which Team Synacktiv won.

On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3. The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.

On the third day of the Pwn2Own hacking contest, security researchers were awarded $185,000 after demonstrating 5 zero-day exploits targeting Windows 11, Ubuntu Desktop, and the VMware Workstation virtualization software. The highlight of the day was the Ubuntu Desktop operating system getting hacked three times by three different teams, although one of them was a collision with the exploit being previously known.

Competitors successfully exploited zero-day bugs in multiple products during the second day of Pwn2Own Vancouver 2023, including the Tesla Model 3, Microsoft's Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system. Team Viettel hacked also Microsoft Teams via a 2-bug chain to earn $78,000 and Oracle's VirtualBox using a Use-After-Free bug and an uninitialized variable for $40,000.

On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3. The STAR Labs team demoed a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.

Pwn2Own paid out almost $1 million to bug hunters at last week's consumer product hacking event in Toronto, but the prize money wasn't big enough attract attempts at cracking the iPhone or Google Pixel because miscreants can score far more from less wholesome sources. The contest planned to give away $250,000 for a successful iPhone or Google Pixel exploit, he told The Register, in an exclusive interview at the end of the four-day event.

Pwn2Own is now a multi-million "Hackers' brand" in its own right, having been bought up by anti-virus outfit Trend Micro and extended to cover many more types of bug than just browsers and desktop operating systems. Even in the Pwn2Own Toronto 2022 contest, where the cash amounts of the prizes far exceeded the value of the devices up to be hacked, winners got to take home the actual kit they broke into, thus retaining the original, literal sense of the competition.