A few security researchers revealed several zero-day vulnerabilities in Zoom which would have allowed hackers to take over someone’s computer in recent days, even if the victim isn’t on onesomething Zoom confirmed to Gizmodo that it released a server-side update on Friday to fix the vulnerabilities and that users would not have to take any additional action.
The vulnerabilities have been identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest security, a cybersecurity and risk management company, as part of Pwn2Own 2021 hacking contest hosted by the Zero Day Initiative. Although not many details are known about the vulnerabilities due to the contest disclosure policy, essentially, the researchers used a chain of three bugs in the Zoom desktop app to run a remote code exploitation on the target system.
The user did not have to click on anything for the attack to successfully hijack his computer. You can see the bug in action below.
According to MalwareBytes Labs, citing a response from Zoom, the attack had to come from an accepted outside contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect the chat during the session in Zoom meetings and Zoom video webinars.
G / O Media can receive a commission
Keuper and Alkemade won $ 200,000 for their discovery. This was the first time the competition included the ‘Enterprise Communications’ category – considering how familiar we all are with our screens because of covid-19, it’s no wonder why – and Zoom was a participant and sponsor of the event.
In a statement following the Keuper and Alkemade win, Computest said the researchers could almost completely take over the targeted systems by performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.
“Zoom made headlines last year for several vulnerabilities. However, this mainly concerned the security of the application itself, and the ability to watch and listen with video calls. Our discoveries are even more serious. Customer vulnerabilities allowed us to take over the entire system from users, ”Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There were the Zoom bombing who took advantage of Zoom’s then-lax screening measures to dump clips of porn and Nazi memorabilia in unsuspecting Zoom gatherings. It is also hardly launched end-to-end encryption in October, after a a lot of confusion about whether it actually supported it or not.
Zoom told Gizmodo on Saturday that it was unaware of incidents where malicious actors had exploited the vulnerabilities found by the investigators.
“On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product,” said a Zoom spokesperson. “This update does not require any action from our users. We continue to work on additional solutions to fully address the underlying issues. Zoom is also unaware of inaccident where a customer was exploited by these problems. “