Hackers pwn Edge, Firefox, Safari, macOS, & VirtualBox at Pwn2Own 2018

The white hat hackers at Pwn2Own 2018, have once again proved their elite skills and exposed critical security existing vulnerabilities in the products developed by popular vendors like Apple, Microsoft, Mozilla, and Oracle.

The Pwn2Own 2018 was organized by cybersecurity giant Trend Micro’s Zero Day Initiative at CanSecWest Vancouver, BC where hackers from all over the world took place to exploit zero-day flaws products developed by aforementioned popular vendors.

On the first day (March 14th, 2018) at Pwn2Own 2018, a whitehat hacker Richard Zhu who goes by the online handle of fluorescence targeted Apple’s Safari browser with a sandbox escape but failed to achieve the target in 30 minutes of allotted time, but, upon targeting Microsoft’s Edge browser by exploiting two use-after-free security flaws Zhu managed to hack the browser to earn $70,000.

On the same day, another whitehat hacker from phoenhex team targeted Oracle VirtualBox by using Out-of-bounds (OOB) read and a Time of Check-Time of Use (toctou) bugs which turned out to be partially successful. Niklas earned $27,000 for his effort.

Another whitehat hacker Samuel Groß from phoenhex team successfully targeted Apple Safari browser using a JIT optimization bug in the browser, a macOS logic bug, and a kernel overwrite to execute code to successfully exploit Apple Safari. For his successful hack, he earned $65,000.

On day two, (March 15, 2018) Richard Zhu made a comeback by hacking Firebox browsing using out-of-bounds read flaw vulnerability and an integer overflow in the Windows kernel to pop FireFox and execute his code with elevated privileges.

More: Come and Take a Hit, if you Dare! Declares the Pentagon
More: Mobile Pwn2Own: Hackers pwn iPhone, Huawei, Galaxy and Pixel Phone
More: Safari, Ubuntu Linux, Edge, and Adobe Reader, Hacked At Pwn2Own 2017

For hacking Firefox, Zhu received a whopping amount of $50,000 prize money as well as the Master of Pwn award. In total, Zhu was able to earn $120,000 from his Microsoft’s Edge and Firefox browser hacks.

Then came in Markus Gaasedelen, Nick Burnett and Patrick Biernat of Ret2 Systems, Inc. who targeted Apple Safari with a macOS kernel EoP. However, according to Pwn2Own rules, hackers must demonstrate successful hack within three attempts but in this case, the team was able to do so on the fourth attempt.

Ret2 Systems could not win any prize money but Pwn2Own purchased and disclosed the bugs to Apple through our normal process.

The last team to try their luck at Pwn2Own was MWR Labs whose hackers Alex Plaskett, Georgi Geshev, and Fabi Beterke targeted Apple Safari with a sandbox escape. The team leveraged a heap buffer underflow in the browser and an uninitialized stack variable in macOS to exploit Safari and escape the sandbox. In doing so, they earned $55,000 and 5 Master of Pwn points.

In total, organizers awarded $267,000 for the two-day contest whereas hackers discovered one Mozilla bug, two Oracle bugs, four Microsoft bugs and five Apple bugs. In the next step, the organizers will reach out to the targeted vendors with the security flaws discovered during Pwn2Own 2018.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.