Security researcher awarded huge sum after finding a flaw in Google Pixel smartphones

When Google Pixel was launched it came with a serious security flaw that could be used to compromise the devices. However, the vulnerability was later discovered by a security researcher named Guang Gong from Alpha Team, Qihoo 360 Technology in August 2017. He had submitted an exploit chain through the Android Security Rewards (ASR) program.

After which Google did confirm that the complete set of issues were resolved as part of the December 2017 security update, which fixed a total of 42 bugs. While Pixel users can feel safe now, the search giant has now awarded a total of $112,500 (roughly Rs. 71,74,687) to the security researcher for reporting an exploit chain in Pixel devices.

Google claims that it is the highest reward in the ASR programme's history. Additionally, Guang also received an extra bonus of $7500 (roughly Rs. 4,78,312) through the Chrome Rewards program.

While Google is thankful to Guang and the entire research community for finding and reporting security vulnerabilities, the company has revealed all the technical details of the exploit on its Android Developer's blog.

Just to highlight some of the key points, the exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904.

Top 10 Tips & Tricks for Google Pixel 2 and Pixel 2 XL

According to Google's report, the first vulnerability CVE-2017-5116 is a V8 engine type confusion bug which can be utilized for remote code execution in sandboxed Chrome render process environments. The second security flaw CVE-2017-14904 as per the report was found in Android's libgralloc module and it could be used to escape from Chrome's sandbox due to a map and unmap mismatch, which could, in turn, prompt a Use-After-Unmap error.

"Together, this exploit chain could be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome," the company has stated.

So basically what happens here is that if any Pixel owner or other Android-based smartphone users clicked on such URL, their devices could be compromised, further leading to the malicious downloads and ultimately malware payloads, hijacking, and surveillance. But the good thing to take away from here is that these issues have been fixed.

Meanwhile, Google has said that the find is the first working remote exploit chain submitted through the program to date.

If you are unaware, Google has an Android Security Rewards program and it offers rewards to security researchers working on Android's security features. Smartphones covered under the program currently include Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C.

Last year in June 2017, Google also increased the ASR payout rewards for remote exploit chain or exploits leading to TrustZone or Verified Boot compromise from $50,000 (roughly Rs. 31,92,600
) to $200,000 (roughly Rs. 1,27,70,300). Until now Google has awarded researchers over $1.5 million (roughly Rs. 9,57,77,200) to date, with top research team earning $300,000 (roughly Rs. 1,91,55,450) for 118 vulnerability reports.