Chinese Hackers Break Into Chrome, Safari, Edge; Reveal Browsers' Vulnerabilities

Popular vendors received terrible news over the weekend as reports claimed that Chinese hackers were able to exploit vulnerabilities in major browsers, apps, and common utilities. At the recent Tianfu cup held in Chengdu, China, Chinese China's top white-hat hackers have converged in to test zero-days against top software available in the market today. During the first day of the event, Chinese security researchers were able to break into major browsers such as Safari, Microsoft Edge, and Google Chrome.

Since Mar. 2018, the Chinese government has officially discouraged security researchers from joining hacking competitions outside the county. The recent Tianfu Cup is the venue for hackers to showcase their skills and even earn six-figure bounties for successful exploits. Former Pwn2Own winner Team 360 Vulcan took home $382,500 for successfully hacking the old version of Office 365, Microsoft Edge, Adobe PDF Reader, VMWare Workstation, and gemu+ Ubuntu during the two days event, reports ZDNet.

Security researchers say in a new study that some 60 percent of cloud computing networks of major US companies have been compromised by hackers AFP / Lionel BONAVENTURE

$200,000 of the winnings came from the VMWare exploit while the $80,000 was from gemu+ Ubuntu exploit. The $102,500 was divided by other apps. Previously, several software vendors started attending hacking competitions and even send representatives to learn about vulnerabilities discovered during the event. This is very useful considering that some vendors immediately release patches and fixes within hours of discovery.

I’m not at all surprised to see 360Vulcan has an exploit in every category. They are a large team with a lot of skilled people. Also, they always dominate by quantity in pwn contests, they go after everything. (The router bugs don’t pay out enough, I guess, to attract 360) https://t.co/bvn41vIK16
— thaddeus e. grugq (@thegrugq) November 16, 2019

However, only a few vendors were present during the Tianfu Cup. Multiple high-profile, successful exploits were recorded during the event’s first two editions. Search engine giant Google has a representative in the event with some members of the Google Chrome security team present on site. Organizers plan to submit a report of all bugs uncovered during the event to all vendors when the competition concludes, says ZDNet.

This is literally just, like, a hundred Chinese security researchers testing their 0days in competition against modern software targets. It is probably the densest collection of 0days per sqm in the world, and I’ve seen only one organic tweet about it.

Infosec Twitter, wtf?!? https://t.co/781cepNPy6
— thaddeus e. grugq (@thegrugq) November 15, 2019

Events like this are easy to demonize, but some vendors fail to appreciate that these events help incentivize continuous research into various products so they can be developed more securely. Public hacking competition is way better compared to secret executions with malicious and catastrophic intent.

China Software Google Google chrome