Some of the world’s leading browsers made by some of the world’s biggest tech companies have been hacked in record time by computer security experts competing China’s Tianfu Cup.
The hackfest, established as an alternative to its Western counterpart, Pwn2Own, puts software and devices to the test as researchers look for Zero-day bugs – unfixed vulnerabilities that can be exploited by bad actors.
ZDNet said that Google’s Chrome, the older version of Microsoft’s Edge, and Apple’s Safari were all hacked during the competition’s first day.
Among other popular software and hardware that had exploitable, previously unknown security flaws are Adobe’s PDF Reader, Microsoft’s Office 365, and D-Link DIR-878 router. To make sure that free and open source users don’t get complacent, Qemu-KVM (Linux kernel module used for virtualization) running on Ubuntu OS was also on the list.
One the second day, Adobe Reader and D-Links routers got “pwned” again – joined by VMWare Workstation. China’s 360Vulcan team ended the Tianfu Cup earning a total of $382,500 for their discoveries. The team tried, but eventually gave up on the attempt made during the last session of the competition to include iOS on the list of its “victims.”
And while the event is structured as a competition potentially earning successful 0-Day hunters hundreds of thousands of dollars, not to mention boosting their reputation in the security community – these gatherings also normally attract software makers eager to be the first to learn about the newly found bugs and rush to roll out a fix before malicious hackers get a chance to exploit them.
However, as the article and some Twitter users observed – the Chinese event went almost unnoticed by the industry despite the fact it revealed serious problems with some critical pieces of software and hardware. But given the significance of the Zero-day exploits found, that may have to change going forward.
“A competition spokesperson told ZDNet today that organizers plan to report all bugs discovered today to all respective vendors at the competition’s end,” the report said.
The Tianfu Cup was established in 2018 when China’s authorities decided that their security researchers would no longer be taking part in events abroad. Before setting up their domestic competition, teams from this country, including 360Vulcan, dominated Pwn2Own, held twice a year in Canada.