Chinese security researchers were able to successfully discover zero-day vulnerabilities in Google’s Chrome, Microsoft’s Edge (based on EdgeHTML), Apple’s Safari, and more at the recently held hacking competition in the city of Chengdu in China.
The hacking contest held over last weekend – November 16 and 17 – saw China’s top hackers take part in the Tianfu Cup 2019 International Cyber Security Competition – the country’s top hacking competition – to test some of the world’s most popular applications.
For those unaware, prior to 2018, Chinese experts had successfully dominated Pwn2Own, the world’s largest hacking contest, by winning the competition years in a row.
However, in the spring of 2018, the Chinese Government prohibited Chinese white hat hackers from taking part in international hacking competitions. As a result, the Chinese government came up with their own, Tianfu Cup, China’s answer to Pwn2Own, for local security researchers to test their skills against popular software and hardware.
The first edition of the Tianfu Cup PWN competition held last year saw white hat hackers earning more than $1 million for zero-day exploits with researchers successfully hacking apps like Chrome, Edge, Safari, iOS, Xiaomi, Vivo, VirtualBox, etc.
Day 1 of the Tianfu Cup 2019 contest saw 32 hacking attempts, of which 13 hacking sessions were successful, 7 failed and in 12 sessions security researchers abandoned exploitation attempts.
Chinese security researchers were able to successfully discover zero-day vulnerabilities in popular applications like Edge (based on EdgeHTML), Chrome, Safari, Adobe PDF Reader, Office 365, D-Link DIR-878 Router, and quemu-kvm + Ubuntu.
According to the organizers, hackers were able to successfully hack the following on day 1:
3 successful exploits against the old version of Microsoft Edge based on EdgeHTML
2 hacks against Google Chrome
1 hack against Safari
1 hack against Office 365
2 hacks against Adobe PDF Reader
3 hacks against D-Link DIR-878 router
1 hack against qemu-kvm + Ubuntu
Further, Day 2 of the Tianfu Cup 2019 contest had 16 exploit sessions with researchers giving up on 8 attempts. Of the remaining 8, seven hacking sessions were successful, with only one not being able to hit the mark.
While the D-Link DIR-878 router was hacked four times, Adobe PDF Reader had two successful hacks, and VMWare Workstation was exploited once.
Team 360Vulcan gave up on their attempt to exploit iOS in their much-anticipated session, as they were unable to succeed.
At the end of the tournament, Team 360Vulcan won the competition and earned a total of $382,500 for exploiting vulnerabilities in Microsoft Edge, Office 365, Adobe PDF Reader, qemu+Ubuntu, and VMWare Workstation. The majority of the winning amount for Team 360Vulcan came from exploiting VMWare and qemu+Ubuntu, which earned them $200,000 and $80,000, respectively.