No bug shall go unnoticed. And when considering privacy and one popular software, cybersecurity researchers must leave no stone unturned.
Zoom is the popular video-conferencing app from Eric Yuan that grew immensely popular since the 'COVID-19' coronavirus pandemic. This time, a pair of security researchers revealed several zero-day vulnerabilities in Zoom that would have let hackers take over victims' computer even when the victims hadn’t clicked anything.
Zoom has had its own share of bugs and vulnerabilities, but this time, the bugs are zero-clicks, meaning that hackers don't need their targets to do anything to successfully hijack their computers.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted and organized by the Zero Day Initiative.
Keuper and Alkemade won $200,000 for their discovery.
Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own pic.twitter.com/dLFpH1uq8G
— Zero Day Initiative (@thezdi) April 7, 2021
The competition for white hat cybersecurity professionals included 23 entries, where participants competed in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege.
In a statement on Keuper and Alkemade’s winning, Computest Security said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the webcam, turning on the microphone, reading emails, checking the screen, opening the calculator app, and even downloading browser history.
“Zoom took the headlines last year because of various vulnerabilities. However, this mainly concerned the security of the application itself, and the possibility of watching and listening along with video calls. Our discoveries are even more serious. Vulnerabilities in the client allowed us to take over the entire system from users,” Keuper said in a statement.
This was the first time that the competition featured the “Enterprise Communications” category.
And given by how acquainted many people are with remote working and the Working From Home (WFH) trend, Zoom itself was a participant and a sponsor of the event.
Following the finding, Zoom said that it was not aware of any incidents in which malicious actors had exploited the vulnerabilities found by the two researchers.
“On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesperson said. “This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues. Zoom is also not aware of any incident in which a customer was exploited by these issues.”
According to Malwarebytes Labs in a blog post, the bugs are present on both Windows and Mac versions of Zoom, and at this time, has yet been tested on Zoom on iOS and Android.
MalwareBytes Labs also cited a response from Zoom, which said that the attack needed to originate from an accepted external contact or be part of the target’s same organizational account.
"As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust," the blog stated.
It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
The browser version of the videoconferencing software is not impacted.
We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW
— Zero Day Initiative (@thezdi) April 7, 2021