Google recently patched a zero-day vulnerability in its popular Chrome browser that was discovered by an unlikely source – an Apple employee participating in the Capture The Flag (CTF) hacking competition. This case brought attention to the specifics of how the bug was discovered and then reported to Google. In this article, we discuss the details of this unique discovery and the response from both Google and Apple.
An unusual Discovery
According to comments in the official bug report, the zero-day bug was discovered by an Apple employee during the HXP CTF competition in March. Instead of reporting the bug immediately, an Apple employee decided not to disclose it at the time. Instead, Google was notified by someone else who participated in the contest and was not directly involved in finding the bug. A Google employee called the discovery “HXP content from the CTF team” and acknowledged that the original discovery was made by an Apple employee from the SEAR team.
Late report
On the Discord channel, an Apple employee under the pseudonym “Gallileo” shed some light on why the bug wasn’t reported sooner. They explained that it took two weeks of full-time work to thoroughly analyze the problem, create a Proof of Concept (PoC) and produce a comprehensive report. As a result of this process, notification of the defect through the company was delayed until June 5th. Gallileo cited several reasons for the delay, including the need to identify the responsible person, obtain the necessary approvals, and prohibit the absence of the responsible person during that time. In addition, Gallileo expressed his belief that the bug may not pose a significant real-world threat because it did not affect Android and was relatively visible because it caused Chrome to freeze for a short period of time. Regardless, Chrome moved quickly to fix the problem, but an Apple employee thought the urgency might not be warranted.
CTF Competitions and Zero Day Discoveries
Capture The Flag (CTF) hacking competitions are well known as a platform for talented cyber security enthusiasts to showcase their skills. It is not uncommon for such competitions to expose zero-day vulnerabilities, especially in high-level challenges. Filippo Cremonese, a scientist participating in the CTF competitions, confirmed the likelihood of such discoveries during these events.
Bug Fix and Bug Bounty
Google managed to patch the zero-day bug on March 29, shortly after it was reported. Surprisingly, the person who received a $10,000 reward from Google for reporting the bug did not find out. That fee went to “content” who reported the bug on behalf of an Apple employee.
Conclusion
A zero-day vulnerability in Chrome discovered by an Apple employee during a CTF contest has sparked interest in the cybersecurity community. The unusual chain of events, where an Apple employee didn’t immediately report the bug and someone else does it for them, raised eyebrows. However, Google was quick to respond and quickly fixed the issue. The case underscores the importance of collaboration between technology companies and the ethical hacking community, and highlights the critical role of CTF competitions in exposing vulnerabilities. As technology evolves, such collaboration is essential to ensure a safer digital environment for all users.
Note. The information in this article is based on comments in TechCrunch’s official bug report and updates. The Apple employee and “inside” statements come from their Discord messages. Neither Apple nor the parties have responded to requests for comment since the last update.