Over 330 million monthly active users rely on Twitter for entertainment, news and to let others know about what’s going on in their lives. If you want to connect with others in your areas of focus, Twitter is a place to go. A cyber security researcher who discovered a Chrome zero-day exploit headed to the platform to tweet about his findings.

The Chrome zero day exploit

A researcher working on exploit code for a zero-day remote code execution vulnerability (RCE), dropped the info on the Twitter platform. According to the researcher, the Chrome exploit affects the latest version of Google Chrome. It may also affect browsers like Microsoft Edge and others that rely on the Chromium framework.

Rajvardhan Agarwal tweeted a GitHub link directing people to the exact exploit code–this is after the Pwn2Own ethical hacking contest held online last Monday.

“Just here to drop a Chrome 0day”, typed Agarwal in his Tweet. “Yes, you read that right”.

In the Pwn2Own contest rules, participants are instructed to alert the Chrome security team about vulnerabilities as quickly as possible. This enables Chrome teams to launch a patch shortly thereafter.

The right persons were indeed alerted and the latest version of the Chrome V8 JavaScript engine does patch the flaw, as Agarwal points out in relation to his tweet.

Nonetheless, “…that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks,” wrote ThreatPost on Tuesday. Since then, a new version of Chrome, complete with security fixes has been released.

Weaponizing exploit code

Two security researchers who participated in the Pwn2Own security contest developed exploit code for a type mismatch bug and managed to weaponize it. They discovered how to run malicious code inside Chrome and Edge. For their bug hunting, the pair received $100,000.

In the exploit is a PoC HTML file, which can be loaded into a Chromium-based browser. Accomplished using a JavaScript file, the attackers could then launch a Windows calculator (calc.exe) program. However, the security researchers would still need to escape the Chrome browser “sandbox”, which blocks browser-specific code from accessing the underlying systems and prevents remote code execution.

Twitter exploit commotion

These researchers reacted with surprise upon learning of Agarwal’s post on Twitter. One of the two replied with “Getting popped with our own bugs wasn’t on my bingo card for 2021”.

Agarwal did not post a fully weaponized version of the code. No information was shared that would have enabled a hacker to leverage a full exploit chain, and to escape sandboxing.

Agarwal’s posting continued to remain controversial in the ethical hacking community. For more on this Chrome zero day exploit piece, visit ThreatPost.