In any given year, I see the names of a lot of different security researchers that come to prominence for one reason or another. In the last two years, one name that has risen to the top is that of a security researcher only publicly known by the alias “Pinkie Pie.”
Pinkie Pie is the name of a character from the children’s TV show My Little Pony, and the ironic twist is that when a researcher is able to successfully exploit a device or application, it’s called “pwning,” hence the Pony connection. I first heard of Pinkie Pie when he walked out of obscurity in March 2012 to successfully pwn Google’s Chrome Web browser at the Pwnium event that year.
Google awarded Pinkie Pie the tidy sum of $60,000 for the discovery of the flaw, which was identified as an “errant plug-in load and GPU process memory corruption.” Pinkie Pie’s exploit was enough that year to earn him a coveted Pwnie award at the Black Hat USA 2012 event.
Pinkie Pie returned in 2013 for the desktop Pwn2Own event operated by Hewlett-Packard’s Zero Day Initiative (ZDI), taking aim once again at Google. This time, it was Google’s Chrome browser running on Chrome OS. Pinkie Pie’s effort landed him another $40,000 in award money for the discovery and reporting of what turned out to be a trio of flaws, including one buried deep within the Linux kernel. Chrome OS is a Linux-based operating system that Google uses on its Chromebook notebooks.
But wait. There is still more.
Just this week in Japan at HP’s Mobile Pwn2Own event, the legend of Pinkie Pie grew as the My Little Pony-loving security researcher once again demonstrated previously unknown zero-day flaws in Google’s Chrome. Pinkie Pie was able to pwn Chrome on both a Nexus 4 as well as a Samsung Galaxy S 4 smartphone. This time, Pinkie Pie pocketed $50,000 for his efforts.
So, for those of you keeping score at home, inside of a year and a half, Pinkie Pie has earned $150,000 for his prowess at making Google Chrome developers weep, as they witness their beloved browser being publicly decimated.
Make no mistake about it. Pinkie Pie’s skills are impressive. Google Chrome isn’t Java; there is no low-hanging fruit and it isn’t an easy target. Chrome has a robust sandboxing mechanism as does Android and Chrome OS, and to defeat those technologies is a non-trivial endeavor.
What amazes me beyond Pinkie Pie’s obvious skill, is the fact that he is able to repeatedly exploit Chrome. Pinkie Pie is not a one-trick pony.
The obvious concern for me is if Pinkie Pie can exploit Chrome, have others done so, as well, and just not reported it publicly? I don’t know the answer to that question and I don’t know what that value for a zero-day exploit on the black market is either. I do know that HP, which runs the Pwn2Own event and Google both pay handsomely for security vulnerabilities, and hopefully it’s more than what a skilled hacker would get from a malicious buyer.
In any event, Pinkie Pie is now a living legend. This is a man that just a year ago was a total unknown to many in the security research community, and now he’s confirmed to have publicly exploited Google Chrome to the tune of $150,000. That’s not too shabby, even for a pony.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.