Cybersecurity experts from the Netherlands have discovered several zero-day vulnerabilities in Zoom. The video calling service has already promised to release an update to eliminate them. However, for now, any user can be left without their computer. Writes about this Gizmodo.
The vulnerabilities were discovered by researchers Daan Keuper and Tiis Alkemade of Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacker contest organized by the Zero Day Initiative. Although not much detail is known about the vulnerabilities, in fact, the researchers used a chain of three bugs in the Zoom desktop version to execute a remote code execution exploit on the target system.
The user did not have to press anything for the attack to take over their computer successfully. The error is presented in the action below.
According to MalwareBytes Labs, the attack must come from an accepted external contact or be part of the same organization account. It also affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat at Zoom meetings and Zoom video webinars.
— Zero Day Initiative (@thezdi) April 7, 2021
Keuper and Alkemad won $200,000 for their opening. This was the first time the Corporate Communications category was presented in the competition – given the pandemic. It’s no surprise why Zoom was a participant and sponsor of the event.
In its announcement of victory for Cooper and Alkemada, Computest said the researchers could take almost complete control of the target systems by performing actions such as turning on the camera, turning on the microphone, reading email, checking the screen, and downloading browser history.
“Zoom made headlines last year due to various vulnerabilities. However, this mainly concerned the security of the application itself and the ability to view and listen to along with video calls. Our discoveries are even more serious. The vulnerabilities in the client allowed us to take over the entire system from users, ”Keuper said in a statement.