Two zero-day flaws in the Zoom videoconferencing platform have allegedly been discovered by hackers who are now offering them for sale. The hackers claim the flaws can be exploited to gain access to both the Windows and MacOS Zoom clients.
Use of the Zoom teleconferencing solution has soared during the COVID-19 crisis, with personal and business users turning to the platform to maintain contact with friends, family, and the office during COVID-19 lockdown. Any vulnerabilities in Zoom are likely to be in high demand given the number of users that could be attacked. It is therefore unsurprising that the hackers are asking for $500,000 for the exploits. Exploits for previously unknown vulnerabilities in popular platforms can command high prices, with millions of dollars sometimes paid for certain exploits.
The Zoom Windows client zero-day is a remote code execution flaw, which could be exploited to gain access to any Windows device with the Zoom client installed and potentially lead to arbitrary code execution. If the exploit is paired with another exploit, it would be possible for an attacker to take full control of a vulnerable device. However, in order for the flaw to be exploited, an attacker would need to be in a Zoom meeting with the target.
The zero-day vulnerability identified in the macOS Zoom client could only be exploited locally, so it has more limited potential, and is not a remote code execution flaw.
The sale of the zero-days was first reported by Motherboard, which has been in contact with three people with knowledge of the zero-day market who have been offered the exploits, including Adriel Desautels of Netragard.
The other two sources, who have not been named, also said they have been offered the exploits. One of those individuals said the Windows zero-day is a nice, clean remote-code execution flaw that would be “perfect for industrial espionage,” as it would allow Zoom meetings to be hacked. However, none of the brokers are understood to have actually seen the exploit code to confirm the hackers’ claims.
Zoom has issued a statement confirming that the company is aware of the sale of the alleged zero-days and that it is working with a reputable, industry-leading security firm to investigate the claims, but has not found any evidence so far to substantiate the claims that the zero-days exist.
Zoom has made the headlines recently following the discovery of security flaws and privacy issues with the platform. There have also been many reported Zoomboming attacks, where Zoom Meetings are hacked and joined by uninvited individuals. Also, last week, a database containing around 2,300 compromised Zoom credentials was being shared on underground hacking forums. The database contained the usernames and passwords of corporate users, including banks, software vendors, and healthcare providers.