Hacking competition Pwn2Own exposed vulnerabilities

Revealed vulnerabilities – At the 15th edition of the Pwn2Own hacker competition, vulnerabilities were again found in frequently used applications – including software from event partners Microsoft and Tesla.


In May 2022, the 15th edition of the Pwn2Own hacking competition took place as part of the CanSecWest security conference in Vancouver, Canada. Companies asked well-known hackers to look for weak points in their systems in order to be able to repair them quickly and effectively. The target software was selected from areas that are particularly critical for companies and private individuals. The 17 participants showed 21 attempts to exploit a total of 25 previously unknown vulnerabilities in the provided products. Of course, the hackers themselves also benefited from successful attacks: This year, a total of 1,155,000 US dollars in prize money was paid out. The competition was organized by Trend Micro’s Zero Day Initiative (ZDI).

Pwn2Own 2022: Successful hacker attacks

Seven attacks were launched on Microsoft’s Windows 11 operating system, six of which were successful. The company’s communication program, Microsoft Teams, also had to believe in this: Here the hacker attacks were successful in three out of four attempts. Linux fared no better as part of Pwn2Own 2022 – all five exploit attempts on the current Ubuntu desktop were successful.

Manfred Paul from Bonn’s RedRocket Club was the only participant in the web browser category. It was able to exploit two vulnerabilities in Firefox, including a sandbox outbreak, and a vulnerability in Safari.

In the automotive space, breaking out of the sandbox system was possible from the infotainment system of a Tesla Model 3. In addition, the participants were able to successfully attack Oracle VirtualBox, among other things.

The software manufacturers have 90 days after discovering the exposed vulnerabilities to provide appropriate security updates. As a rule, however, the patches appear earlier – Mozilla, for example, provided updates before the end of the competition.



Sources: Zero Day Initiative & Windows