Security researchers exploited vulnerabilities in Google's Pixel phone, Apple's Safari browser, and Microsoft Edge browser at the PwnFest 2016 hacking event. Senior security researcher Guang Gong at Qihoo 360's Alpha Team exploited a zero-day vulnerability in Google's Pixel phone in less than 60 seconds.
The security researcher exploited a remote code execution flaw by sending a specially-crafted packet. The vulnerability in Pixel's standard and XL version has not yet been patched.
The zero-day “isn't entirely surprising,” according to Check Point mobile security evangelist Jeff Zacuto, noting that every version of every OS has flaws. “Clearly, even brand new devices with the latest technology and security enhancements are vulnerable right out of the box,” he wrote in an email to SC Media.
The Tencent Keen Security Lab Team discovered a separate zero-day exploit in the Pixel phone at the Mobile Pwn2Own event in Japan last month.
Qihoo's Guang Gong was awarded a $120,000 cash prize for the remote code execution flaw. The proof-of-concept was one of several exploits discovered by researchers at the PwnFest 2016 event during the POC2016 conference in Seoul, South Korea.
Windows 10's Microsoft Edge browser was exploited at PwnFest 2016 by two independent security teams. Independent researcher JungHoon “Lokihardt” Lee and a Qihoo 360 security team both exploited system-level remote execution flaws. Lokihardt hacked the Microsoft Edge browser in 18 seconds.