Zero-day vulnerabilities in just the Zoom Messenger desktop client could allow hackers to execute random code on a victim’s machine, safety authorities have claimed.
Moral hackers Daan Keuper and Thijs Alkemade from CompuTest Stability demonstrated their exploit at hacking contest Pwn2Own, and were awarded a bug bounty of $200,000 by the movie conferencing support.
Commenting on the exploit, Keuper stated that whilst earlier Zoom vulnerabilities permitted attackers to infiltrate the calls, their exploit was a large amount extra really serious as it lets attackers to just take over the overall technique.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We might love to hear your ideas in the survey under. It will not consider much more than 60 seconds of your time.
Hijacking remote systems
The ethical hackers chained three vulnerabilities in the Zoom messenger to create their exploit.
Even more alarming is the fact that they were able to take over the remote system running the Zoom client without any involvement from the victim the exploit didn’t require the victim to click any links or open any attachments.
Once successful, the duo had an almost complete control over the remote computer. They demonstrated several actions such as toggling the webcam and the microphone, gawking at the desktop, reading emails, and downloading their victim’s browser history.
Pwn2Own is a popular security conference where ethical hackers demonstrate zero-day vulnerabilities in popular devices and apps. Given the rise of remote collaboration tools, the conference organizers added the new Enterprise Communications category this year.
Elsewhere in the conference another ethical hacker hacked into Microsoft Teams, again by exploiting a combination of vulnerabilities to execute arbitrary code, and earned himself a $200,000 bug bounty from Microsoft.