Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Hackers Earn $1 Million for Zero-Day Exploits at Chinese Competition

White hat hackers earned more than $1 million for exploits disclosed at the Tianfu Cup PWN hacking competition that took place on November 16-17 in Chengdu, the capital of China’s Sichuan province.

White hat hackers earned more than $1 million for exploits disclosed at the Tianfu Cup PWN hacking competition that took place on November 16-17 in Chengdu, the capital of China’s Sichuan province.

The contest ran alongside the Tianfu Cup conference and is similar to Zero Day Initiative’s Pwn2Own – they both offer significant prizes and in both cases the demonstrated vulnerabilities are disclosed to their respective vendors. However, at this year’s Pwn2Own events combined – Pwn2Own 2018 and Pwn2Own Tokyo 2018 – hackers earned roughly $600,000.

At the Tianfu Cup PWN competition, participants earned a total of $120,000 for two Microsoft Edge exploits that allowed remote code execution. Two Chrome exploit chains earned hackers a total of $150,000.

Three teams received the same amount for Safari vulnerabilities, including $100,000 for an exploit demonstrated on macOS.

The highest single reward, $200,000, was paid out to contestants who demonstrated an iPhone X jailbreak and a remote code execution exploit.

Tianfu Cup organizers told SecurityWeek that this iPhone X exploit involved a type confusion Just-in-Time (JIT) bug in Safari and a use-after-free vulnerability in the iOS kernel. The hackers promised to make details available after Apple pushes a fix.

Advertisement. Scroll to continue reading.

Researchers also earned $120,000 for two Oracle VirtualBox exploit chains, and $100,000 for hacking VMware Workstation and Fusion.

VMware has confirmed that the vulnerabilities allow an attacker to execute code on the Workstation host from the guest. The company says it’s working on addressing the flaws and promised to publish an advisory.

Earlier this month, VMware informed customers of patches for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition in China.

A Microsoft Office exploit chain involving a logical bug and a memory corruption flaw earned researchers $80,000. A total of $80,000 were paid out for three Adobe Reader hacks.

Participants also earned several thousands of dollars for hacking Vivo X23, OPPO R17 and Xiaomi Mi 8 smartphones.

There were also several attempts that did not earn participants any money due to the fact that they involved previously disclosed vulnerabilities.

According to organizers, participants earned $1,024,000 for disclosing 30 vulnerabilities. Of that amount, $620,000 was paid to a team from Chinese cybersecurity firm Qihoo 360. Independent researchers and teams from universities, Tencent, and Ant Financial, one of China’s main financial services providers, also took part in the competition.

Tianfu Cup PWN hacking contest

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.