Tianfu Cup Competition: Windows 10, iOS, Chrome, Firefox hacked

[German]On the weekend (7th/8th November 2020) the TMC 2020 took place in China. It is a hacker competition (TifanCup 2020), in which the best hacker teams in China compete against each other in the Chinese city of Chengdu. Once again there were a lot of hacks on current software like browsers, Windows 10 etc.


The TFC competition

The "Tianfu Cup",or TFC (International Cracking Competition) for short, aims to build China's own "Pwn2Own" community. The background: In spring 2018, the Chinese government banned its own security researchers from participating in hacker competitions organized abroad, such as Pwn2Own. A few months later, the TianfuCup was launched in response to the ban to give researchers the opportunity to improve their skills. The first TFC Cup was held in the fall of 2018 with great success. The security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and other products.

At the TMC Cup three independent and parallel competitions are held. The teams must repeatedly exploit previously unknown security gaps in products, software and operating systems in order to be successful in the competition. The total prize money in 2019 was 1 million US dollars. Currently I cannot reach the TFC website, so no data is available.

Successful hacks non-stop

During the two-day competition there were successful hacks, as The Hacker news reports here.  At the TFC 2020, software products from Adobe, Apple, Google, Microsoft, Mozilla and Samsung were successfully hacked. "This year's competition has many goals," say the organizers of the event. "11 of 16 targets were cracked with 23 successful demos." The hacking competition showed hacking attempts against a number of platforms, including:

  • Adobe PDF Reader
  • Apple iPhone 11 Pro running iOS 14 and Safari browser
  • ASUS RT-AX86U router
  • CentOS 8
  • Docker Community Edition
  • Google Chrome
  • Microsoft Windows 10 v2004
  • Mozilla Firefox
  • Samsung Galaxy S20 running Android 10
  • TP-Link TL-WDR7660 router
  • VMware ESXi hypervisor

During the two-day event, which took place over the weekend, white hat hackers from 15 different teams used the original vulnerabilities to break into widespread software and mobile devices in three attempts within 5 minutes. The idea, in short, is to use different web browsers to navigate to a remote URL or use a bug in the software to control the browser or underlying operating system.

Qihoo 360's Enterprise Security and Government (ESG) Vulnerability Research Institute won with prize money of $744,500, followed by the Ant-Financial Light-Year Security Lab ($258,000) and a security researcher named Pang ($99,500). Patches for all detected bugs are expected to be released in the coming day. (via)


Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *