Hacking contest: Chinese hackers find Zero Days in Chrome and Edge


The Chinese hacker contest TianfuCup has revealed a number of security holes. In addition to the browsers Chrome, Edge and Safari, the hackers Office 365, the Adobe Reader and the kernel-based virtualization solution KVM / QEMU attack under Ubuntu. Above all, the team 360Vulcan stood out, which came up with a considerable number of zero days, that is to say unknown security gaps. The team belongs to the security firm Qihoo360, which in the past had its own security problems. First, the online magazines had Fossbytes and ZDnet reported about the competition.

Job market

  1. Techniker health insurance, Hamburg
  2. Schoeller Technocell GmbH & Co. KG, Osnabrück

Chinese security researchers conducted several zero-day vulnerabilities in various software products at the hacker contest. The competition is the Chinese variant of Pwn2Own, where at the beginning of the year, among other things, the infotainment system of the Tesla Model 3 was hacked. Chinese hackers celebrated several achievements at the 2017 Pwn2Own competition. However, last year, the Chinese government banned them from participating in hacker conferences overseas, and thus Pwn2Own. The first TianfuCup was held in the same year.

The aim of the hacker conferences is the acquisition of apps and programs on previously unknown security vulnerabilities (Zero Days). Three exploits for Microsoft's Browser Edge in the old EdgeHTML-based variant were demonstrated at the two-day TianfuCup. With these malicious code could be introduced and executed and partially broken out of the sandbox. Also, Google's Chrome browser was hacked by two teams, Apple's Safari hit it once. The safari hack, the team had been only partially successful, as the organizers write. Using a prepared RTF document in the edge browser, attackers were also able to undermine the security mechanisms of Microsoft Office 365.

However, not only were security holes found in browsers. One team managed to break out of a KVM Qemu-based virtual machine on Ubuntu and execute malicious code on the host system. Added to this were security holes in Adobe's PDF Reader and the D-Link DIR-878 router. According to the organizer, all vulnerabilities used in the competition should be reported to the manufacturers so that they can be remedied.

With a bonus of $ 382,500 won the team 360Vulcan the Chinese security company Qihoo360 the competition. Qihoo360 had made headlines in the past with the two proprietary TLS certification bodies, Wosign and Startcom. Mozilla and Google had de-trusted the certification authorities and accused them of misleading the browser community rather than adequately remedying any discovered vulnerabilities. In addition, CAs have attempted to bypass browser restrictions on SHA1 certificates by backdating certificates. At times it was also possible to issue certificates for, provided that the applicant had control over a subdomain of Github.

Please activate Javascript.

Or use that Golem-pur offer

and read

  • without advertisement
  • with disabled Javascript
  • with RSS full text feed