Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
Di Zovie, who lives in New York, developed the exploit that exposed the hole on Thursday night. Since the contest was only open to conference attendees, he sent it to his friend Macaulay in Vancouver, who claimed the prize.
The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said.
The vulnerability won’t be published. 3Com Corp.’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.
Mac users can avoid this security hole by simply not using Safari until it is updated