Safari hole exploited in seconds at security conference

Charlie Miller, who won a contest by hacking a MacBook Air last year, exploits a security hole in Safari within seconds at the CanSecWest security conference.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Updated at 5:53 p.m. PDT with information on a second winner at the ongoing contest.

Charlie Miller
Charlie Miller won $5,000 after demonstrating a new Safari exploit as part of the Pwn2Own hacking contest at CanSecWest. Elinor Mills/CNET

VANCOUVER, Canada--The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so.

Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.

The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL, as Miller demonstrated.

"It's not easy, but this worked with one click" from the Safari browser, he said.

Miller is prevented by contest rules from revealing details of the exploit. He said he told Apple representatives what he planned to do earlier in the day. "They're happy because they get free research and get a bug fixed," he said.

The contest is sponsored by TippingPoint, which will share details on the exploit with Apple and develop a patch for it. TippingPoint is offering $5,000 for each new exploit demonstrated in the major browsers and $10,000 for each successful exploit in the major smartphones, as well.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007.

Later in the day, a 25-year-old computer science student at the University of Oldenburg in Germany, won $15,000 for exploits he demonstrated in IE 8, Safari, and Firefox. The student, who declined to give his full name, gets to keep the Sony Vaio he did his exploits on, and Miller gets to keep the MacBook he used.