The Unsinkable Maddie Stone, Google's Bug-Hunting Badass

By Lily Hay Newman

“Maddie definitely wasn’t shy about asking those questions and pushing things forward in a way that others weren’t, regardless of gender,” Saunders says. “She has always been herself and never tried to fit in.”

All the while, Stone was also dealing with another challenge: Her mother, with whom she had a difficult relationship, had been sick with multiple sclerosis since her senior year of high school and suffered a precipitous physical and mental decline beginning her sophomore year of college. To cope after graduation, Stone threw herself into her life and work in Baltimore. She joined an improv group and her first Olympic lifting gym, and took up hiking to get outside more. She also joined Twitter to connect with the security research community around the world.

In June 2017 Stone gave a reverse engineering talk at a conference called Recon that took place in Montreal that year. Within weeks a recruiter from Google reached out to her about joining the Android security team.

“My mom passed away in January 2018 three months after I uprooted my life and moved to California for Google,” Stone says. “And yet 2018 was one of my best work years. When other things seem very hectic in our lives, doing good work, solving challenging problems that don’t have easy answers, and trying to make the world a little bit of a better place has always been an outlet for me.”

For all the menace and mystique around hacking tools, actually shutting one down is a bit of an anticlimax. A researcher discloses the vulnerability that the weapon is taking advantage of, the company (hopefully) fixes it, and that’s that—even when the malware in question is some of the most dangerous in the world.

In her first weeks at Project Zero, in late summer 2019, various Google security teams had heard reports from outside researchers that hackers were actively exploiting an unknown Android vulnerability. The evidence pointed to the Israeli cyberarms dealer NSO Group or its customers, and they seemed to be exploiting the bug to infect target devices with NSO’s Pegasus spyware. NSO Group did not return WIRED’s request for comment.

Stone’s first assignment: Track down the bug. The tip Google had received didn’t come with a treasure map, but it did include some details about the attack that could be used as clues about where to look for the vulnerability. Observers had already established that the bug Stone was looking for allowed an attacker to gain system privileges by manipulating the kernel, or fundamental core of the operating system, through a flaw in how the system managed memory. And an attacker could even exploit the bug from within Chrome’s protective and restrictive “sandbox” designed to stop exactly that type of behavior. The vulnerability was also only exploitable on Pixel 1 and 2 smartphones, not the more recent Pixel 3 and 3a.

Stone started poking around Android like a malicious hacker would, looking for a weakness and corresponding exploit that fit the description she had been given. As a new member of the Project Zero team she felt pressure during those days to produce a result; the stakes were even higher because it potentially involved a tool made by a notorious exploit broker. Thanks to her Android expertise, though, and collaboration with her Project Zero colleague Jann Horn and others, it took Stone just a few weeks to finally close the case.

The vulnerability Stone had sussed out was so serious that Project Zero decided to give only seven days' notice—to Google itself—before going public, instead of the usual 90. But because this was her first assignment, Stone had never even filed a bug in Project Zero's issue tracker. She had to ask a teammate for help.

"And then I hit enter and the nervous energy really started," Stone says.

Through finding and disclosing a software bug, she had neutered a cyberweapon that was in active use; she had “burned” a zero day. But there was no Hollywood explosion or dramatic flourish. As Stone drove home later that night, no one outside a small cadre of security professionals had any idea that she had just caused a small stutter in the intricate dance of global cyberespionage.