And why browser security is underestimated.
Bounties
Reddit users agree that Google pays too low for browser security. https://tinyurl.com/y8ort2qj
Let’s compare bounties for XSS in Google services with UXSS in Chrome.
You report XSS in Google service and get from 3113$ to 7500$ (or even more).You report UXSS in Chrome and get 7500$ in the best case.
UXSS = Same-Origin-Policy bypass
Imagine, an attacker could get cookies from all pages you’ve visited, embed Beef hooks, and make other funny things.
UXSS that compromises millions of Chrome users is considered at least equal to XSS in one of Google’s services.
As far as I remembered, one XSS on accounts.google.com was estimated in 13k$. Max bounty for UXSS is 7500 + 1337 for patch, assuming report includes a PoC and explanation.
Chrome browser installed on millions or even billions of devices isn’t as valuable for Google as their services and platforms.
Just compare Google to some companies on Hackerone (e.g., Uber). Yeah, these companies pay more than Google for vulnerabilities affecting only their services&reputation and nothing more.
Nobody cares about your browser
https://tinyurl.com/y8ort2qj Even if it sounds “crazy”, it makes sense
I hope, it’s obvious now, that Google underestimates browser security. Google should sometimes recall that Chrome has almost 65% global market share.
Instead, they’re offering a big bounty (100k$) for ChromeOS which global market share is even hard to figure out (approximately 0.5–0.6%).
Note, that I didn’t say that Google doesn’t care about security. Google cares but in some ridiculous way.
Chrome security team works well. Low bounties possibly could be explained by Google’s approach to rely on internal teams.
However, you can check found CVEs during any Chrome release, and find out that independent researchers and project members(not employees) report many (or even most) issues. So, low bounties can’t be explained by the approach to rely on internal research only.
Apple doesn’t need to help somebody hack you, because they already helped
Do you remember that case, when Apple rejected to help FBI in bypassing Touch ID? That’s a good PR move only.
Note: Zerodium considers Touch ID and passcode bypass as least severe vulnerabilities.
Why it’s a PR move only? Because, Google Project Zero’s member (lokihardt) found (at least) 22 UXSS during 2016 Dec — 2017 Mar. Some of them were regression tests, like CVE-2017–2508.
CVE-2016–6755 = CVE-2017–2508 = regression test
That means, developers have known that this vulnerability was patched only in Chrome, and the problem has been persisting in Safari for more than one year until Project Zero found it during research.
Another good example is CVE-2017–2364. I bet that it was found or even used before Project Zero’s audit because it’s very simple to exploit compared to other vulnerabilities.
Apple doesn’t care
Let’s note that Apple doesn’t have a bug bounty program for Safari(Webkit). As opposite to Google, which has bug bounty programs, Apple probably wants from hackers to submit their research directly to “black market”.
So, all these posts and news about how much Apple cares about privacy and security are just myths. Additionally, it could be proved by comparing the number of CVEs in iOS/MacOS/Webkit with CVEs in Android/Chrome in the last few years. You possibly already have seen such comparisons.
Even Firefox has bug bounties for both web and browser. However, Mozilla Foundation is a non-profit organization, not a 1 trillion dollars company.
Thanks for reading 😈
Github: https://github.com/Metnew
Twitter: https://twitter.com/vladimir_metnew