Cybersecurity specialists reported the finding of multiple zero-day vulnerabilities in the Zoom client for desktop equipment whose successful exploitation would allow malicious hackers to execute arbitrary code on the target device.
The report was submitted by the ethical hacking team composed of Daan Keuepr and Thijs Alkemade during the Pwn2Own hacking contest. Zoom granted them a $200,000 USD reward through its bug bounty program.
Pwn2Own is an important cybersecurity event in which ethical hackers demonstrate zero-day vulnerabilities in popular devices and applications. Due to the increased use of remote communication tools, conference organizers added the new Category of Business Communications.
On their finding, the researchers mentioned that while some Zoom flaws found above allowed arbitrary access to some video calling sessions, these flaws would allow threat actors to take control of the compromised system.
The attack requires chaining the exploitation of three vulnerabilities although experts point out that once this is achieved hackers do not require the interaction of potential victims to complete the attack, in what is known as a zero-click attack.
If the attack has been successful, threat actors can take almost complete control of the target system. In their demo, ethical hackers performed remote manipulation moves on the attacked system, such as turning on camera and microphone, accessing email platforms and stealing private information such as the device’s browsing history.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.