How a Hacker Cracked Firefox in 8 Seconds: Inside the Pwn2Own Exploit

Many people think the rapid password cracking and system intrusion shown in TV dramas are unrealistic, but real hacks do happen. In a recent hacker competition, a participant breached a mainstream browser—Firefox—in less than eight seconds.

1. Who Is the Hacker?

Pwn2Own is the world’s most famous and lucrative bug‑bounty competition, organized by the Zero Day Initiative (ZDI), a project of TippingPoint under HP and the U.S. Department of Defense. Contestants must discover previously unknown vulnerabilities in widely used software and devices. The eight‑second Firefox exploit was performed by Manfred Paul.

On May 18, Paul used two critical Firefox bugs to launch a lightning‑fast attack, winning a $100,000 prize. He also discovered a bug in Apple’s Safari browser, earning an additional $50,000, placing fourth overall in the competition.

2. What Were the Two Critical Bugs?

The two vulnerabilities, both rated severe, are:

Prototype pollution in the implementation of top‑level await, allowing an attacker to execute code in a privileged environment by corrupting JavaScript’s Array object.

Use of untrusted output in JavaScript object indexing, leading to prototype pollution that can enable double indexing of JavaScript objects.

3. Impact on Firefox Users

Although the bugs are critical, the impact on end users is limited. Mozilla has already released an emergency update that patches the vulnerabilities, and Firefox updates automatically by default, so most users are now on the fixed version.

The competition also revealed significant bugs in other products. Ubuntu desktop had three vulnerabilities discovered by teams Sea Security’s Orca, Northwestern University’s TUTELARY, and researcher Billy Jheng Bing‑Jhong. Tesla’s Model 3 infotainment system was found to have a double‑free and an out‑of‑bounds write (OOBW) bug by Synacktiv researchers David Berard and Vincent Dehors. Microsoft Teams and Windows 11 also had several severe new bugs, while Safari and VirtualBox were not spared.

This event is a win‑win: participants receive cash rewards, and vendors get up to 90 days to fix the issues and improve their products.

References:

https://www.forbes.com/sites/daveywinder/2022/05/22/firefox-browser-hacked-in-8-seconds-using-2-critical-security-flaws/

https://twitter.com/_manfp

https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/