Google has awarded $112,500 (Rs 71,75,300 approx) to Guang Gong, a security researcher form Qihoo 360 Technology’s Alpha Team. Gong reported a severe remote exploit chain flaw affecting Pixel smartphones via Google’s Android Security Rewards (ASR) program in August last year. The researcher was awarded $105,000 (Rs 66,93,225 approx), which the company says is the highest reward in the history of the ASR program along with another $7500 (Rs 4,78,087 approx) by the Chrome Rewards program.
The two bugs, CVE-2017-5116 and CVE-2017-14904 are remote exploit chain vulnerabilities. Google blog says, “CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.”
Google has detailed the exploit on its blog post and thanked Guang Gong along with the entire researcher community for their contributions to Android security. The company also stated that the security flaw was resolved on all Pixel and effected partner devices as part of the December 2017 monthly security update. The company’s Android security team had increased top payouts for the ASR program in June last year.
Google had also fixed Android devices affected by the Wi-Fi KRACK vulnerability with its December security patch. The KRACK security vulnerability was recently discovered by a security researcher who revealed that it affected almost every Wi-Fi enabled device. Before the fix, an attacker could potentially exploit the flaw for stealing sensitive information like credit card numbers, passwords, emails, and more. You can learn more about it here.