At Tianfu Cup competition in China, hackers cracked Chrome, Edge and Safari, earning more than $ 500,000

Last weekend, the Tianfu Cup competition took place in China, where, like at Pwn2Own, the competed the best hacking teams, attacking popular products. As a result, Chinese hackers cracked Chrome, Edge and Safari and earned more than $ 500,000.

The essence of the competition is to use previously unknown vulnerabilities and with their help take control of the application or device. If the attack succeeds, the researchers receive points, cash prizes, as well as the corresponding reputation, which inevitably leads to the victory in such an event.

“In essence, the Tianfu Cup is very similar to Pwn2Own and was created precisely after the Chinese government banned local IB researchers from participating in hacking contests organized abroad in 2018”, – reports the publication in Hot Hardware.

The first Tianfu Cup competition took place in the fall of 2018, and then researchers successfully hacked applications such as Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and more.

This year, the Tianfu Cup was not less successful for the participants. So, on the first day of the competition, 11 teams planned 32 different hacks at once, the goals of which were Edge, Chrome, Safari, Office 365 and many more. At the end of the day, 6 of 13 attacks were successful. Another 7 attempts failed, and in 12 cases, researchers for various reasons were forced to abandon their attempts.

Summing up the first day, the organizers of the competition reported the following successful hacks:

1. (3 successful exploits) Microsoft Edge (the old version on the EdgeHTML engine, not the new version of Chromium);
2. (2 successful exploits) Chrome;
3. (1 successful exploit) Safari;
4. (1 successful exploit) Office 365;
5. (2 successful exploits) Adobe PDF Reader;
6. (3 successful exploits) D-Link DIR-878 Router;
7. (1 successful exploit) QEMU-KVM + Ubuntu.

As a result, according to the results of the first day, Team 360Vulcan, the former winner of Pwn2Own, was the leader in the number of points.

On the second day of the competition, 16 hacking attempts were planned. Only half of them was effective, and in eight cases, the researchers again abandoned their intentions. Of the eight successful attacks, however, only seven reached their goals, and one attack did not work. Seven exploits that worked as expected were intended for:

1. (4 successful exploits) D-Link DIR-878;
2. (2 successful exploits) Adobe PDF Reader;
3. (1 successful exploit) VMWare Workstation.

Unfortunately, on the second day of the competition, Team 360Vulcan participants abandoned the attempt to hack iOS, which was planned to be the last task of the tournament.

Read also: The U.S. Patent Office decides whether AI has copyright for the content it creates

In general, participants from different teams failed or refused to hack Edge, Chrome, Safari, Adobe Reader, Oracle VirtualBox, TP-Link and D-Link routers, Windows Server 2019, VMware Workstation and iPhone 11 Pro.

However, Team 360Vulcan still won the competition, earning $ 382,500 for its efforts to hack Microsoft Edge, Microsoft Office 365, qemu + Ubuntu, Adobe PDF Reader, and VMWare Workstation. So, only exploits for VMWare and qemu + Ubuntu brought them $ 200,000 and $ 80,000, respectively.