The Pwn2Own 2021 event is promoted by the Zero Day Initiative as a way to encourage developers and researchers to report zero-day vulnerabilities to the affected companies instead of selling these breaches to malicious hackers. This year, systems researcher Jack Dates was paid $100,000 after finding a new exploit in Apple’s Safari web browser.
For those unfamiliar with the term, a zero-day exploit is basically a newly discovered vulnerability that the fix is still unknown to the developers.
Dates has managed to use an integer overflow to get kernel-level code execution through Safari for Mac, which means that the exploit leads to full access to the rest of the computer. The confirmation was shared on Twitter with a short GIF showing the exploit in action.
Confirmed! Jack Dates from RET2 Systems used an integer overflow in Safari and an OOB Write to get kernel code execution. He wins $100K plus 10 Master of Pwn points to start the contest off right!
Although the event was not focused on Apple products, the Safari exploit was indeed unknown, so Dates won $100,000 for his discovery. Last month, it was revealed how a group of hackers have been using compromised websites to infect iOS devices. Learning about these security breaches by the right people allows Apple to quickly patch these exploits with software updates.
On a related note, security researchers also showed at the Pwn2Own event an exploit found in the popular video conferencing service Zoom, which also leads to hackers gaining full access to the computer.
More details about other security breaches discovered by researchers at the Pwn2Own event can be found on the Zero Day Initiative’s official website.