A simple security flaw in android exploit by the biggest online company Google led a researcher to have over than $100,000!
A security researcher was rewarded over $100,000 by Google for exposing a security flaw in Google Pixel smart phones. Guang Gong, a devoted android bug hunter submitted an exploit chain through the Androids Security Rewards (ASR) program last August 2017 and was rewarded $112,500. She was the very first in the ASR history to receive the highest reward which is $105,000 from ASR program and a $7,500 under the Chrome Rewards program as well.
The technical details were revealed by Google on its Android Developer’s blog last Wednesday. The company thanked Gong and her team which is the Alpha Team, Qihoo 360 Technology and also the entire researcher community for bringing up this flaw that may lead consumers to have a big problem later on.
However, the Google company stated that the security flaw was resolved already as part of the December 2017 monthly security update that patched a total of 42 bugs.
The exploit chain covers two bugs. These are the CVE-2017-5116 and the CVE-2017-14904. The other one is a V8 engine bug that was supposed to get remote code execution in sandboxed Chrome render process. The bug is in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Google says that this flaw can be used to inject arbitrary code into system_server by accessing a malicious and threatening URL in the Chrome browser.
Through the Android Security Rewards program, Google recognizes the contribution and help of security researchers working on Android’s security features to provide the users safe and secure smart phone experience. Since October 2017, the smart phones covered under the program include Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C.
In June 2017, Google increased the ASR payout rewards for exploits leading to TrustZone or Verified Boot. From $50,000 to $200,000. Since then, the company has awarded researchers over $1.5 million up to date.