Google awards researcher $112,500 for spotting security flaw in Pixel smartphones

Search giant Google has awarded security researcher Guang Gong a whopping $112,500 (Approximately Rs71, 83,300) for spotting a vulnerability in Google Pixel smartphones.

Gong from Alpha Team, Qihoo 360 Technology, had submitted an exploit chain in August 2017 through the Android Security Rewards (ASR) programme. This is the first exploit chain since Google has expanded the ASR programme.

Google claims this is the highest reward in the history of ASR programme so far.

Guang Gong got an additional award of $7,500 (roughly Rs. 4, 78,900) under the Chrome Rewards programme as well.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process.CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome,” reads Google blog post.

Google Android

In other words, the first bug is a V8 engine type confusion bug which can be used for remote code execution in sandboxed Chrome render process. The second one is found in Android’s libgralloc module which is used to escape Chrome’s sandbox.

Google said the vulnerabilities could be used by attackers to inject arbitrary code into system server by accessing a malicious URL in Chrome.

Basically, if a Pixel user or an Android-based smartphone user clicks on the URL, it could potentially endanger the phone. This malware could prompt the download and execution of additional malware payloads, hijacking, and surveillance.

Through its Android Security Rewards programme, Google has awarded researchers over $1.5 million to date. Protection Status