Chinese Hackers Shatter Chrome, Safari, Edge Browser Defenses During Tianfu Cup Contest

Hacking
Several white hat hackers in China spent the weekend infiltrating some of the top web browsers and other applications, as part of the Tianfu Cup. Similar to Pwn2Own, hackers attempt to exploit various software in ways that have not been discovered before, with prizes and bragging rights on the line (as well as better security for us all).

The rules between Tianfu Cup and Pwn2Own are pretty much the same. During the two-day event, hackers racked up points by exposing zero-day vulnerabilities in Microsoft's Edge, Apple's Safari, and Google's Chrome browsers, as well as other applications. Here's how it broke down on the first day of the competition...
  • Microsoft Edge (old version, not Chromium): 3 successful exploits
  • Chrome: 2 successful exploits
  • Safari: 1 successful exploit
  • Office 365: 1 successful exploit
  • Adobe PDF Reader: 2 successful exploits
  • D-Link DIR-878 Router: 3 successful exploits
  • Ubuntu (qemu-kvm): 1 successful exploit
On the second day, hackers successfully exploited the D-Link DIR-878 router four more times, Adobe PDF Reader two more times, and a single instance of VMWare Workstation.

One of the teams, 360Vulcan, gave up attempts to thwart iOS during a highly anticipated session that was to turn until the end of the tournament. However, the team still won the competition, earning a hefty $382,500 payday. Hacking VMWare Workstation was the most lucrative, as it accounted for $200,000 of that total.

Chinese hackers have proven adept at these things, having done really well during past Pwn2Own events. However, in the 2018 the Chinese government banned security researchers from participating in hacking contests outside of China. That is how the TianfuCup came to exist.

There were only a few vendors at the event. A spokesperson told ZDNet that the people who run the event will report all successful exploits to applicable vendors, and if that is the case, it's likely each one will be patched shortly after (as typically happens with these things).
Show comments blog comments powered by Disqus