China’s top hackers have gathered this weekend to compete in the Tianfu Cup which is China’s top hacking competition.
In the two days contest held on November 16 and 17, the Chinese security researchers tested zero-days against some of the world’s most popular applications.
The main aim is to exploit and take over an app using never-before-seen vulnerabilities. The researchers earn points If attacks are become success which are calculated for an overall classification, cash prizes. Besides, they get a reputation from winning this hacking competition.
The Tianfu Cup’s rules are similar to the Pwn2Own which is the world’s largest hacking contest.
Prior to 2018, Chinese security researchers dominated Pwn2Own, with different teams winning the competition years in a row.
The Tianfu Cup was set up as a way for local researchers to keep their skills sharp. The first edition was held in the fall of 2018 which was a big success, and the researchers successfully hacked apps like Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox, and more.
Day 1 : Victims
On the first day of the competition 32 hacking sessions were scheduled out of which 13 were successful, seven failed, and in 12 sessions security researchers abandoned exploitation attempts, for various reasons.
Of the successful sessions, successful hacks of Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version), Chrome, Safari, Office 365, Adobe PDF Reader, D-Link DIR-878 router and qemu-kvm + Ubuntu were reported.
Few software vendors were present at Tianfu Cup and many high-profile successful exploits were recorded in the competition’s first two editions. The members of Google Chrome security team were on site.
According to a competition spokesperson, the organizers have planned to report all bugs to all respective vendors at the competition’s end.
Day 2 : $200,000 for a VMWare Escape
On the second day, 16 sessions were scheduled, but only half went through as planned and the researchers gave up on eight. Of the successful half, seven hacking sessions succeeded, and only one got failed. The seven successful exploits targeted D-Link DIR-878, Adobe PDF Reader and VMWare Workstation.
Team 360Vulcan won the competition earning $382,500 for their efforts of hacking Microsoft Edge, Microsoft Office 365, qemu+Ubuntu, Adobe PDF Reader and VMWare Workstation.