Zoom has already had its fair share of cyber security issues for a lifetime, and the video conferencing app took a while (and Alex Stamos) to steady its ship on the security front after finding unexpected popularity due to the Covid-19-necessitated work from home mandates. Now, it appears to still have retained a critical security flaw that could allow threat actors with intent to exploit the vulnerability and undertake a remote code execution (RCE) attack to take control of host PCs. The vulnerability was discovered by two Computest cyber security researchers at the recent Pwn2Own competition, organised by the Zero Day Initiative.
For the hack to work, the attacker first needs to be a part of the same organisational domain as the host PC’s user, or needs to be permitted to join the meeting by the host – hence adding one layer of security, if not anything else. However, security and privacy advocates clearly know that social engineering attacks can quite clearly breach barriers such as feigning stolen identities to gain access to private conferences and meetings – although this represents a different cyber security debate altogether.
Nevertheless, with the Zoom vulnerability, once attackers were part of a meeting, they could execute a chain of three malware relays to install an RCE backdoor on the targeted PC. In simpler terms, the attackers can gain access to your PC, and subsequently be able to execute remote commands that would then give them access to your sensitive files. What’s even more alarming here is that the attackers can carry out all of these actions without any user being required to do anything, therefore doing away with an added interaction layer that could have slowed down the potential of such attacks.
Computest researchers Daan Keuter and Thijs Alkemade were awarded a $200,000 (~Rs 1.5 crore) bounty for making the critical discovery, which was also one of the headlining finds of this year’s Pwn2Own. The attack works on both Windows and Mac, and Zoom’s iOS and Android apps haven’t been tested for it, yet. The browser version remains unaffected with it. Since Zoom is yet to patch the flaw, the exact technical details of the vulnerability have not been disclosed to the public, yet. The said patch should arrive on Zoom for Windows and Mac within the next 90 days.