Google has awarded $112,500 (roughly Rs. 71,83,300) into a security researcher for exposing a security flaw in Google Pixel Tablets.
Guang Gong, at August 2017 submitted an entry series throughout the Android Security Rewards (ASR) programme. It was the very first working remote exploit series since the search giant has expanded the ASR program. Gong was granted $105,000 (approximately Rs. 67,04,40), which Google claims is the maximum reward in the ASR programme’s history. Additionally, she had been awarded $7,500 (approximately Rs. 4,78,900) under the Chrome Rewards program too.
The technical details of this exploit were revealed by Google on its own Android Developer’s site on Wednesday. The research giant thanked Gong, who is out of Alpha Team, Qihoo 360 Technology, and the entire researcher community for discovering and reporting security vulnerabilities. Meanwhile, Google said the comprehensive set of issues was resolved as part of their December 2017 monthly security update, which patched a total of 42 bugs.
The tap string covers two germs – CVE-2017-5116 and CVE-2017-14904. While the first one is really a V8 engine bug that’s used to acquire remote code execution in sandboxed Chrome render procedure the latter is is a bug in Android’s libgralloc module that’s used to escape from Chrome’s sandbox. Google says this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.
Google, throughout the Android Security Rewards programme, recognises the donations of safety researchers working on Android’s security features.
In June 2017, Google had increased that the ASR payout rewards for remote exploit chain or exploits resulting in TrustZone or even Verified Boot compromise from $50,000 (roughly Rs. 31,92,600
) to $200,000 (approximately Rs. 1,27,70,300). Through this application, Google has given researchers more than $1.5 million (approximately Rs. 9,57,77,200) so far, with the very best research staff earning $300,000 (approximately Rs. 1,91,55,450)for 118 vulnerability reports.