Pair of security researchers revealed multiple zero-day vulnerabilities in Zoom in recent days, it would have allowed hackers to take over someone’s computer even if the victim had not clicked on aything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users do not need to take any further action.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, cybersecurity and risk management company, as a member of Pwn2Own Hack Contest 2021 organized by the Zero Day initiative. Although few details are known about the vulnerabilities due to the competition disclosure policy, In essence, the researchers used a chain of three bugs in the Zoom desktop app to perform a remote code execution exploit on the target system.
The user did not need to click anything for the attack to successfully hijack their computer. You can see the bug in action below.
According to MalwareBytes Labs, which cited a response from Zoom, the attack had to come from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging system. platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemade won $ 200,000 for their discovery. This was the first time that the competition featured the “Corporate Communications” category – given that we all know our screens because of covid-19, it’s no wonder why – and Zoom was a participant and sponsor of the event.
In one declaration On the victory of Keuper and Alkemade, Computest said the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, activating the microphone, reading e -mails, screen checking and downloading browser history.
“Zoom grabbed the headlines last year due to various vulnerabilities. However, this mainly concerned the security of the app itself, and the ability to watch and listen with video calls. Our findings are even more serious. The client vulnerabilities allowed us to take over the entire user system, ”Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with safety last year. There was the Zoom bombing who took advantage of Zoom’s then lax screening measures to transfer pornography clips and Nazi memorabilia into unsuspecting Zoom meetings. He also barely launched from start to finish encryption in October, after a a lot of confusion more whether she actually supported him or not.
Zoom told Gizmodo on Saturday that it was not aware of any incidents in which malicious actors exploited vulnerabilities discovered by researchers.
“On April 9, we released a server-side update defending against the attack demonstrated to Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesperson said. “This update does not require any action from our users. We continue to work on additional mitigation measures to fully address the underlying issues. Zoom is also not aware ofcident in which a customer has been exploited by these problems. “