Participants in hacking competition Tianfu Cup find zero-day flaws in Chrome, Android, iOS 14 and Windows

This weekend was held the Tianfu Cup event, a hackathon held once a year in China. In this edition, participating specialists focused on the detection of security flaws on iOS 14, Windows 10, Chrome, Safari, Adobe PDF Reader, and many other popular applications and operating systems. 

There are 15 teams that participated in the third edition of the competition, which involves trying to hack a given system or application in up to three attempts of five minutes each. The advantage is that exploits used by ethical hackers are previously reported to suppliers and developers, so it is impossible for these attacks to be replicated in real-world scenarios.

The 2020 edition of the Tianfu Cup was won by the EsGM 360 Vulnerability Research Institute, a team that received about $750,000 in prize money. These researchers also won the competition last year; AntFinancial Lightyear Security Lab and independent security researcher Pang took second and third place. Participating researchers were able to demonstrate the exploitation of security flaws in the following developments:

  • iOS 14 (on an iPhone 11 Pro Max device)
  • Android (on a Samsung Galaxy S20 device)
  • Chrome
  • Safari
  • Firefox
  • Adobe PDF Reader
  • Docker-CE
  • VMware EXSi
  • Qemu
  • CentOS 8
  • Windows 10 2004
  • TP-Link
  • ASUS router

Former Facebook chief security director Alex Stamos believes these kinds of strategies are a good way to strengthen security research: “This and other similar competitions contain difficult lessons about the number of critical software errors in the U.S. and the rest of the world,” the researcher says.

Through Twitter, Stramos continued to rule on this initiative and the need to incentivize these research programs: “More conceivablely, Chinese researchers are correcting zero-day failures for $180,000 while the U.S. Supreme Court discusses the legality of the security investigation,” Stramos concludes.