Skip to main content

Hackers selling Zoom Windows and Mac exploits online

(Image credit: Zoom Video Communications)

Exploits for serious vulnerabilities affecting Zoom for Windows and MacOS are available online after being putting up for sale by hackers, security experts have warned.

The vulnerabilities are classed as zero-days (or 0-days), which means the vendor is unaware of their existence in its code and therefore temporarily powerless to prevent their exploitation.

The zero-day present in Zoom’s Windows application reportedly allows the hackers to execute code on the target device remotely, and is listed for purchase online for at $500,000.

Dashlane Password Manager, now with a free VPN

Make careless data decisions history with our dark web monitoring and alerts. Get Dashlane for seamless, private 'interneting' with 2FA (two-factor authentication) by default. Your privacy matters to us‎ so that’s why there's no limit on devices or passwords stored or shared.VIEW DEAL ON Dashlane Premium

Zoom security issues

Zoom’s security standards have come under scrutiny in recent weeks, amplified by the explosion in users brought about by coronavirus quarantine measures.

Researchers have uncovered a litany of vulnerabilities -  from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development to focus on eliminating security flaws.

According to anonymous sources, who have not examined the code first hand but have spoken with the selling party, the two new exploits vary in potency.

The zero-day present in Zoom for Windows could be used to gain access to the application, but not the device it’s held on. To abuse the bug, the hacker would also need to join the same video conference as the victim, ruling out a stealth-based assault.

The flaw affecting Zoom’s MacOS client, meanwhile, does not allow for remote code execution and is therefore less threatening to end users.

In a written statement, Zoom confirmed it is investigating the zero-days but disputed the legitimacy of the rumours.

“Zoom takes user security extremely seriously. Since learning of these rumours, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” said the firm.

“To date, we have not found any evidence substantiating these claims,” it added.

Via Motherboard

Joel Khalili

Joel Khalili is a Staff Writer working across both TechRadar Pro and ITProPortal. He's interested in receiving pitches around cybersecurity, data privacy, cloud, storage, internet infrastructure, mobile, 5G and blockchain.