Charlie Miller, principal security analyst at Independent Security Evaluators, used a security exploit in Safari 4 to hack into a MacBook in about 10 seconds Wednesday, winning the Pwn2own contest at the CanSecWest security conference for the second year in a row.
The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine by getting the computer user to click on a malicious URL, as Miller demonstrated.
“It’s not easy, but this worked with one click” from the Safari browser, he said.
The contest is sponsored by TippingPoint, which shares details on the exploit with Apple and develops a patch for it. TippingPoint offers $5,000 for each new exploit demonstrated in the major browsers and $10,000 for each successful exploit in the major smartphones.
Miller also discovered an exploit in the mobile version of Safari shortly after the iPhone was launched in 2007. In addition to the $5000 prize for his efforts Wednesday, he gets to keep the MacBook he used to win the contest.