Tianfu Cup 2020 Reveals Zero-Days and Hacks Against Everything

By Bill Toulas / November 9, 2020

This year’s Chinese international cybersecurity contest known as the “Tianfu Cup” has been concluded, and the results are impressive without a doubt. The hacking teams managed to crack 11 out of the 16 targets that were defined by the organizers of the event, finding 23 zero-day flaws in them.

The products that were targeted include some very widely-used and high-profile software projects and items like the iPhone 11 Pro+iOS 14, the Samsung Galaxy S20, Windows 10 2004, TP-Link and ASUS routers, Chrome, Safari, Firefox, Adobe PDF Reader, CentOS 8, Docker-CE, and VMWare.

That is a very wide scope of targeting against products that are considered mature and secure, so the payouts were equally impressive. The winning team, “Qihoo 360,” has received a total of $744,500 for the hacks they managed to pull out.

Second place paid $258,000 to “AntFinancial Lightyear Security Lab,” the third place had an award of $99,500 (individual researcher), and even the team finishing eighth received a respectable $8,500.

Related: AnyConnect VPN Suffers From Zero-Day Exploit and Cisco Offers Workaround

Notably, the hacking teams only had three rounds of five minutes each to demonstrate the working exploit against the target.

Source: TFC

Because the products are so popular and widely used, Tianfu Cup couldn’t just publicly disclose the vulnerabilities and allow hackers to exploit a huge pool of users. Instead, and per the contest regulations, all of the discovered zero-days were reported to the vendors of the cracked products.

So, fixing patches are expected to arrive in the next days or even weeks.

Source: TFC

In several cases, different teams followed the same path of exploitation to take over a specific product, so the vulnerability was somewhat obvious. In these cases, the payouts were paid in full to each of the hacking teams, as long as there were up to three max.

Source: TFC

The highest paying fee for any discovery this year was $180,000 for the iPhone 11 Pro running iOS 14, where hackers managed to perform a sandbox escape through an RCE. Two hacking teams managed that, but we can’t tell if their methods were entirely different.

Other notable zero-day bounties include a $100k for a Chrome exploit, $60k for a Safari vulnerability, $50k+$80k for two Samsung Galaxy S20 flaws, $40k for a way into Windows 10, $180k for a VMWare break-in, and $40k+$15k for two Ubuntu bugs. Somehow, the Edge browser was spared from the weekend of massacre, being among the very few targets not to fall.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: