A couple of security investigators revealed several zero-day vulnerabilities in Zoom in recent days, this would have allowed hackers to take over someone’s computer, even if the victim hadn’t clicked on it.all. Zoom confirmed to Gizmodo that it released a server update on Friday to fix the vulnerabilities and that users did not need additional actions.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade Computer security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 Piracy Competition organized by the Zero Day Initiative. Although not many details about the vulnerabilities are known due to the competition disclosure policy, in essence, the researchers used a three-error string in the Zoom desktop application to perform a remote code execution operation on the target system.
The user did not need to click on anything for the attack to successfully hijack their computer. You can see the error in action below.
In accordance with MalwareBytes Labs, citing a response from Zoom, the attack needed to originate from an accepted external contact or be part of the same organizational account of the target. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect chat during Zoom video meetings and webinars.
G / O Media may receive a commission
Keuper and Alkemade won $ 200,000 for their discovery. This was the first time the competition featured the “Business Communications” category, given the knowledge we have of all our screens due to covid-19, it’s no wonder why, and Zoom was a participant and sponsor of the event.
In a statement on the victory of Keuper and Alkemade, Computest said the researchers were able to seize almost completely the target systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history.
“Zoom occupied the headlines last year due to various vulnerabilities. However, this mainly concerned the security of the app and the ability to watch and listen along with video calls. Our findings are even more serious. The vulnerabilities of the customer allowed us to take the whole system to the users, ”Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There was the Zoom bombing this took advantage of Zoom’s lax detection measures to abandon pornographic clips and Nazi memories at unsuspected Zoom meetings. Also barely thrown from end to end encryption in October, after a quite a confusion about whether he really supported it or not.
Zoom told Gizmodo on Saturday that he was unaware of any incidents in which malicious actors had exploited the vulnerabilities found by investigators.
“On April 9, we released a server update that defends the demonstrated attack on Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesman said. “This update does not require any action from our users. We continue to work on additional mitigations to fully address the underlying issues. Zoom also has no knowledge of any inin which a customer was exploited for these problems “.