Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Researchers hack Safari, iOS 14 to win $420,000 in China contest

The winning team at the 2020 Tianfu Cup contest

Last updated

Apple's software security has reportedly been defeated at the Tianfu Cup hacking contest in China, with thousands of dollars worth of prizes being handed out to participants for demonstrating vulnerabilities in Safari and iOS 14.

The contest, which took place on Saturday and Sunday, saw teams attempting to successfully demonstrate exploits that attack a wide variety of hardware. For the 2020 competition, the Apple-specific targets for the teams were Safari running on a 13-inch MacBook Pro and iPhone 11 Pro running iOS 14.

Each device had a list of requirements to meet to qualify for prizes given out by Tianfu Cup's organizers. For Safari, which had security researchers using Safari to browse a remote URL and enable the control of the browser or the Mac, $40,000 was on offer for a successful remote code execution (RCE) attack, rising to $60,000 for an RCE with a sandbox escape.

For the iPhone and iOS 14, teams had similar requirements as for Safari, but with the addition of needing to "bypass the PAC mitigation." The RCE earned hackers $120,000 if successful, rising to $180,000 and additional prizes for a sandbox escape and $300,000 for a remote jailbreak.

According to the published results, one team managed a sandbox escape in Safari, while two sandbox escapes were performed in iOS 14, resulting in payouts totaling $420,000.

The details of the exploits were not released, but were provided to Apple for patching under a responsible disclosure policy. Once patched, or a sufficient period of time has passed, the details of the vulnerabilities are usually shared by the researchers who discovered them.

Now in its third year, the Tianfu Cup is largely modeled after Pwn2Own in structure, with many of the researchers previously taking part in that competition. A change in Chinese regulations effectively banned security researchers from taking part in international contests, over national security fears.

The winning team from the weekend was the Qihoo 360 Enterprise Security and Government Vulnerability Research Institute, earning $744,500 from its submissions. Second place went to Ant-Financial Light-year Security Lab with $258,000, while security researcher "Pang" was third with $99,500.



6 Comments

SpamSandwich 19 Years · 32917 comments

They didn’t bother hacking Windows or Android? Too easy?

sflocal 16 Years · 6138 comments

They didn’t bother hacking Windows or Android? Too easy?

Exactly... While I think it's great that iOS (and MacOS) is always the target of security researchers, I did find it odd that Windows and Android weren't mentioned.  By not mentioning it, it says a lot.  


The public knows that "security" and "windows/Android" don't go well together in the same sentence.  It's embarrassing actually.

gatorguy 13 Years · 24627 comments

sflocal said:
They didn’t bother hacking Windows or Android? Too easy?
Exactly... While I think it's great that iOS (and MacOS) is always the target of security researchers, I did find it odd that Windows and Android weren't mentioned.  By not mentioning it, it says a lot.  
The public knows that "security" and "windows/Android" don't go well together in the same sentence.  It's embarrassing actually.

Both of you so anxious to post you couldn't spend a single minute looking before commenting? In less than 60 seconds a search for "TianfuCup 2020" found:

The participants successfully tested their exploits against the following software:

  • iOS 14 running on an iPhone 11 Pro
  • Samsung Galaxy S20
  • Windows 10 v2004 (April 2020 edition)
  • Ubuntu
  • Chrome
  • Safari
  • Firefox
  • Adobe PDF Reader
  • Docker (Community Edition)
  • VMWare EXSi (hypervisor)
  • QEMU (emulator & virtualizer)
  • TP-Link and ASUS router firmware

So in total 11 out of 16 targets were cracked . I'll let one of you figure out which 5 weren't successfully hacked.

CloudTalkin 5 Years · 916 comments

They didn’t bother hacking Windows or Android? Too easy?

What do you think is a greater likelihood?  1. Windows and Android weren't hacking targets in the contest.  2.  Appleinsider made an editorial decision to only focus on reporting info about the hacking attempts of Apple related subjects.
https://www.zdnet.com/article/windows-10-ios-chrome-and-many-others-fall-at-chinas-top-hacking-contest/

sflocal said:
They didn’t bother hacking Windows or Android? Too easy?
Exactly... While I think it's great that iOS (and MacOS) is always the target of security researchers, I did find it odd that Windows and Android weren't mentioned.  By not mentioning it, it says a lot.  
The public knows that "security" and "windows/Android" don't go well together in the same sentence.  It's embarrassing actually.

Not mentioning Windows or Android does indeed say a lot.  It says that Appleinsider editorializes to focus on Apple.  What it does not say is anything about security researchers and their targets.  Contest like these always focus on a wide range of targets, including Windows and Android.  For better perspective, you may need to widen the scope of your information sources beyond Appleinsider.

rochford 13 Years · 32 comments

Where does that kind of prize money come from if it’s not the government?