A pair of security researchers revealed several zero-day vulnerabilities in Zoom in recent days that would have let hackers take over someone’s computer even if the victim hadn’t clicked anything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users did not need to take additional action.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system.
The user did not need to click anything for the attack to successfully hijack their computer. You can see the bug in action below.
— Zero Day Initiative (@thezdi) April 7, 2021
According to MalwareBytes Labs, which cited a response from Zoom, the attack needed to originate from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemade won $US200,000 ($262,380) for their discovery. This was the first time the competition featured the “Enterprise Communications” category — given how acquainted all of us are with our screens because of covid-19, it’s no wonder why — and Zoom was a participant and sponsor of the event.
In a statement on Keuper and Alkemade’s win, Computest said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.
“Zoom took the headlines last year because of…