A couple of security researchers have identified a critical, zero-day vulnerability in Zoom that allowed them to take control of the remote devices without user interaction.
Taking over a remote device, via network, with any input from the victim usually means that it’s a critical vulnerability. Since researchers just demonstrated the exploit chain, no information is available on how it works. We only know that DaanKeuper and Thijs Alkemade from Computest chained three bugs to exploit Zoom messenger.
The only details about the vulnerability appear in a short GIF posted on Twitter by the Zero Day Initiative, the organizers of Pwn2Own, a competition that gathered top white hat hackers from around the world. The researchers compromised a Windows 10 machine with the latest updates and ran the Calculator app.
While the exploit was shown running against Windows systems, MacOS machines are also affected. Zoom already works on a patch to fix the problems, especially since the company is a sponsor of the Pwn2Own Vancouver 2021 competition. Finding out about zero-day vulnerabilities in this type of competition is probably the best-case scenario.
“We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue,” said the company in a statement to Tom’s Guide. “The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.”
“As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center,” they explained.
DaanKeuper and Thijs Alkemade received a $200,000 prize for their efforts.