The Zoom security vulnerability is very serious, and two Computest cyber security researchers discovered it at the Zero Day Initiative’s Pwn2Own bug bounty contest.
Zoom has had its fair share of cyber security problems over the years, and it took a while (and Alex Stamos) for the video conferencing app to get its bearings on the security front after gaining unexpected attention as a result of the Covid-19-mandated work from home mandates. It now appears to have retained a critical security flaw that could allow threat actors with malicious intent to exploit the flaw and take control of host PCs via a Remote Code Execution (RCE) attack. The vulnerability was discovered by two Computest cyber security researchers at the Zero Day Initiative’s recent Pwn2Own competition.
To make the hack function, the hacker must first be a member of the same organisational domain as the host PC’s user, or be granted permission to enter the meeting by the host – thereby introducing at least one layer of protection.
Nonetheless, using the Zoom vulnerability, hackers could use a chain of three malware relays to mount an RCE backdoor on the targeted PC once they were a part of a conference. In layman’s terms, the hackers can gain access to your computer and then execute remote commands that grant them access to your personal information. What’s more alarming is that the hackers can perform all of these acts without requiring any user intervention, removing an additional layer of interaction that may have slowed down the potential for such attacks.
Daan Keuter and Thijs Alkemade of Computest were awarded a $200,000 (Rs 1.5 crore) bounty for making the crucial discovery, which was also one of the Pwn2Own highlights this year. Zoom’s iOS and Android apps haven’t yet been reviewed for the attack, which works on both Windows and Mac. It has no effect on the browser edition. Since Zoom has yet to fix the vulnerability, the technical specifics of the bug have not yet been made public. Over the next 90 days, the aforementioned patch should be available for Zoom on Windows and Mac.