In the third edition of China’s national ethical hacking contest, the Tianfu Cup, the country’s top hackers uncovered and exploited existing but unknown threats and vulnerabilities in the software of widely used software products including iPhone, Microsoft Edge, Google Chrome, etc.
Ethical hacking contests might come as a surprise to some. Such contests are held both nationally and internationally. They can be a component of Capture The Flag events, in which hacking (breach or exploitation) is one aspect of the challenges presented, or can be bug bounty programs, like the Tianfu Cup.
The contest spanned over two days taking up the first full weekend of November. A total of 15 teams participated, including several teams from Qihoo 360, a Chinese tech giant that has an excellent track record when it comes to such competitions.
All contestants were given 3 tries of 5 minutes each to target a software of their choice with an exploit they had engineered themselves. In total, there were 16 targets the teams had picked, out of which 11 were successfully hacked into.
On the first day, most contestants carried out exploits against major browsers. These included Google Chrome, Microsoft Edge, and Safari. Vulnerabilities were also found in Microsoft Office 360 and Adobe PDF Reader.
On the second day, Adobe PDF Reader was exploited twice more. Additionally, this was a day where many notable operating systems were also targeted successfully. This included Ubuntu. However, the most noteworthy out of the exploits were breaches into iOS 14 on an iPhone 11 Pro and VMWare, a cloud storage system.
Considering the fact that iOS and VMWare are known as one of the highly secured products, these two break-ins bagged the biggest prizes. The prize money for the iOS hack and VMWare hack was $300,000 and $200,000 respectively.
The grand total of the bonuses given out to participants came up to $1.2 million. The largest sum of money out of this went to the team from Qihoo 360, whose total earnings were $744,500. In second place was Ant-Financial Light-Year Security Lab which won $258,000. The third-largest winnings were made by Pang, a security researcher, who single-handedly earned $99,500. At the same time, some teams could not win anything at all.
Patching Vulnerabilities Found by Ethical Hackers
The purpose of such competitions is not simply to hold some sort of cyber-sports for engineers and technicians. They are arenas for bringing together massive potential and human resource to strengthen the web of vulnerabilities software is rife with instead.
All vulnerabilities found in such competitions are reported to the companies in question. They are also notified in advance of the possibility of a breach taking place. The Tianfu Cup’s protocol is no different and patches for the reported vulnerabilities are expected to be released in the coming week.
While these events act as learning experiences for people involved in software engineering all over the world and are great places to win handsome cash prizes, they also serve a direct agenda for tech companies.
It is not uncommon for companies to hold bug bounty programs for their own products. This allows hackers from various different backgrounds and approaches to study the code on which a company’s software runs and allows for a diverse outside perspective into flaws in the existing code.
Facebook launched one such bounty program in 2018. In 2016, Apple also launched a similar program to identify flaws in the Apple operating systems and related software. Similarly, Google also has a bounty program, as a part of which it rewarded an Uruguayan teen $36,000 for blowing the whistle on a vulnerability.
