A security researcher participating in the Pwn2Own hacking contest earned $100,000 for finding a one-click exploit in Apple's Safari browser.
Credit: Apple
The 2021 Pwn2Own content kicked off on April 6. On the first day, RET2 Systems researcher Jack Dates found a vulnerability in Apple's browser, according to the Zero Day Initiative, which hosts the content.
As demonstrated in a tweet, Dates used an integer overflow and an out-of-bounds write to achieve kernel-level code execution. The researcher won a $100,000 prize and 10 points in the competition.
Congratulations Jack! Landing a 1-click Apple Safari to Kernel Zero-day at #Pwn2Own 2021 on behalf of RET2: https://t.co/cfbwT1IdAt pic.twitter.com/etE4MFmtqs
-- RET2 Systems (@ret2systems) April 6, 2021
The Zero Day Initiative hosts the Pwn2Own competition annually, inviting security researchers from across the globe to seek out vulnerabilities in major operating systems and platforms. Other targets in the 2021 competition include Zoom, Google Chrome, and Microsoft Edge.
We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW
-- Zero Day Initiative (@thezdi) April 7, 2021
Although Apple products are not typically the most popular target at Pwn2Own, this isn't the first time researchers have discovered flaws in Safari during the event. Similar vulnerabilities were discovered at the 2018 and 2019 events.