A couple of security researchers have revealed some zero-day vulnerabilities in Zoom in recent days, this would have allowed hackers to take someone’s computer, even if the victim had not clicked on aall. Zoom confirmed to Gizmodo that it released an update on the server on Friday to fix the vulnerabilities and that users did not have to take any further action.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computer security, a cyber security and risk management company, as part of Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many details about vulnerabilities are known due to the competition disclosure policy, In essence, the researchers used a three-error chain in the Zoom desktop application to perform a remote code execution feat on the target system.
The user did not have to click anything for the attack to successfully hijack their computer. You can see the error in action below.
Conformable MalwareBytes Labs, who quoted a response from Zoom, the attack needed to come from an accepted external contact or to be part of the same organizational account of the target. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect session chat in Zoom meetings and Zoom video seminars.
G / O Media may receive a commission
Keuper and Alkemade won $ 200,000 for their discovery. This was the first time the competition presented the “Enterprise Communications” category – given how familiar we are with our screens because of covid-19, it’s no wonder why – and Zoom was a participant and Sponsors of the event.
One statement at the win of Keuper and Alkemade, Computest said the researchers were able to take over the target systems almost completely, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history.
“Zoom took over the titles last year due to various vulnerabilities. However, this was mainly about the security of the application itself and the ability to watch and listen with video calls. Our findings are even more serious. The client’s vulnerabilities have allowed us to take over the entire system from users, “Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There were Zoom bombing who took advantage of Zoom’s lax screening measures to throw porn clips and Nazi memories into unsuspected Zoom encounters. Also, barely released head to head encryption in October, after a a lot of confusion about whether he actually supported it or not.
Zoom told Gizmodo on Saturday that he was unaware of any incidents in which malicious actors had exploited the vulnerabilities discovered by researchers.
“On April 9, we released a server update to protect against the demonstrated attack on Pwn2Own on Zoom Chat, our group messaging product,” said a Zoom spokesman. “This update does not require any action from our users. We continue to work on further mitigation to fully address the core issues. Also, Zoom is not aware of accessincident in which a customer was exploited by these problems. ”