Exploits for serious vulnerabilities affecting Zoom for Windows and MacOS are available online after being putting up for sale by hackers, security experts have warned.
The vulnerabilities are classed as zero-days (or 0-days), which means the vendor is unaware of their existence in its code and therefore temporarily powerless to prevent their exploitation.
The zero-day present in Zoom’s Windows application reportedly allows the hackers to execute code on the target device remotely, and is listed for purchase online for at $500,000.
Make careless data decisions history with our dark web monitoring and alerts. Get Dashlane for seamless, private 'interneting' with 2FA (two-factor authentication) by default. Your privacy matters to us so that’s why there's no limit on devices or passwords stored or shared.
- What is Zoom? How it works, tips and tricks and best alternatives
- Zoom apologises for major security vulnerabilities, promises fixes
- How to change your Zoom background - and other fun tips
Zoom security issues
Zoom’s security standards have come under scrutiny in recent weeks, amplified by the explosion in users brought about by coronavirus quarantine measures.
Researchers have uncovered a litany of vulnerabilities - from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development to focus on eliminating security flaws.
According to anonymous sources, who have not examined the code first hand but have spoken with the selling party, the two new exploits vary in potency.
The zero-day present in Zoom for Windows could be used to gain access to the application, but not the device it’s held on. To abuse the bug, the hacker would also need to join the same video conference as the victim, ruling out a stealth-based assault.
The flaw affecting Zoom’s MacOS client, meanwhile, does not allow for remote code execution and is therefore less threatening to end users.
In a written statement, Zoom confirmed it is investigating the zero-days but disputed the legitimacy of the rumours.
“Zoom takes user security extremely seriously. Since learning of these rumours, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” said the firm.
“To date, we have not found any evidence substantiating these claims,” it added.
- Here's our list of the best video conferencing applications on the market
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.