Pwn2Own ended 2021: Windows 10, Ubuntu, Safari, Chrome and Zoom were hacked

The spring Pwn2Own 2021, the largest hacker competition, has ended. This time it all ended in a three-way draw between Team Devcore and OV, as well as the duo of cybersecurity experts Daan Keuper and Thijs Alkemade from Computest.

All three teams finished the competition with 20 points each. In total, in three days, Pwn2Own members earned $1,210,000. Detailed results can be found on the Trend Micro Zero Day Initiative (ZDI) blog.

Under normal circumstances, the event is held as part of the CanSecWest conference in Canada, but due to the coronavirus pandemic this year, Pwn2Own was held online again, like the spring and fall Pwn2Own last year. To this end, the organizers published a list of suitable targets back in January, and several teams applied for participation, planning a total of 23 hacks for ten different products from the list.

“The teams had 15 minutes to launch the exploit and remotely execute the code inside the target application. For each exploit that worked, participants received a cash prize from the sponsors of the competition and points for the tournament table”, — the organizers say.

Spring Pwn2Own 2021, as usual, lasted three days. As a result of the competition, Windows 10, Ubuntu, Safari, Chrome, Zoom, Microsoft Exchange, Microsoft Teams and Parallels Desktop were successfully compromised. Interestingly, none of this year’s entrants attempted to hack into the Tesla Model 3 car provided in the competition. The last time a car was hacked in 2019.

Cybersecurity experts unambiguously recognized the Zoom hack as the most impressive and dangerous compromise of this year, which does not require user interaction, asdemonstrated by Daan Köper and Tiis Alkemade of Computest. This exploit earned the experts $200,000.

The exploit is known to combine three vulnerabilities at once and works on the latest versions of Windows 10 and Zoom. In the researchers’ demo, the victim simply received an invitation to a meeting from the attacker and didn’t even need to click anywhere: the malicious code was executed automatically. Since the vulnerabilities have not yet been fixed, the technical details of the attack are still kept secret, but you can see what it looked like by this link.

The attack works against Windows and Mac versions of Zoom, but has not yet been tested on iOS or Android. Zoom developers have already told the media that they are working on fixing the problem and thanked the experts for their work.

“We take security very seriously and appreciate Computest’s research. We are working to resolve this issue in Zoom Chat, our group messaging product. This issue does not affect in-session chat in Zoom Meetings and Zoom Video Webinars. In addition, the attack must come from an accepted external contact or be part of the account of the same organization. Zoom recommends that users only accept requests to add to contacts from people they know and trust,” the developers say.

Let me remind you about the previous competition, Hacking competition Pwn2Own Tokyo, when were hacked NAS, routers and TVs.