A pair of security researchers revealed several zero-day vulnerabilities in Zoom in recent days that would have let hackers take over someone’s computer even if the victim hadn’t clicked anything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users did not need to take additional action.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system.
The user did not need to click anything for the attack to successfully hijack their computer. You can see the bug in action below.
According to MalwareBytes Labs, which cited a response from Zoom, the attack needed to originate from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemade won $200,000 for their discovery. This was the first time the competition featured the “Enterprise Communications” category—given how acquainted all of us are with our screens because of covid-19, it’s no wonder why—and Zoom was a participant and sponsor of the event.
In a statement on Keuper and Alkemade’s win, Computest said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.
“Zoom took the headlines last year because of various vulnerabilities. However, this mainly concerned the security of the application itself, and the possibility of watching and listening along with video calls. Our discoveries are even more serious. Vulnerabilities in the client allowed us to take over the entire system from users,” Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There were the Zoom Bombings that took advantage of Zoom’s then-lax screening measures to dump clips of porn and Nazi memorabilia into unsuspecting Zoom meetings. It also barely launched end-to-end encryption in October, after a whole lot of confusion over whether it actually supported it or not.
Zoom told Gizmodo on Saturday that it was not aware of any incidents in which malicious actors had exploited the vulnerabilities found by the researchers.
“On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesperson said. “This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues. Zoom is also not aware of any incident in which a customer was exploited by these issues.”