Hackers selling Zoom Windows and Mac exploits online

News
By Joel Khalili
last updated

Exploit targeting Windows devices on sale for $500,000

(Image credit: Zoom Video Communications)

Exploits for serious vulnerabilities affecting Zoom for Windows and MacOS are available online after being putting up for sale by hackers, security experts have warned.

The vulnerabilities are classed as zero-days (or 0-days), which means the vendor is unaware of their existence in its code and therefore temporarily powerless to prevent their exploitation.

The zero-day present in Zoom’s Windows application reportedly allows the hackers to execute code on the target device remotely, and is listed for purchase online for at $500,000.

Dashlane Password Manager, now with a free VPN
Dashlane Premium

Make careless data decisions history with our dark web monitoring and alerts. Get Dashlane for seamless, private 'interneting' with 2FA (two-factor authentication) by default. Your privacy matters to us‎ so that’s why there's no limit on devices or passwords stored or shared.

Zoom security issues

Zoom’s security standards have come under scrutiny in recent weeks, amplified by the explosion in users brought about by coronavirus quarantine measures.

Researchers have uncovered a litany of vulnerabilities -  from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development to focus on eliminating security flaws.

According to anonymous sources, who have not examined the code first hand but have spoken with the selling party, the two new exploits vary in potency.

The zero-day present in Zoom for Windows could be used to gain access to the application, but not the device it’s held on. To abuse the bug, the hacker would also need to join the same video conference as the victim, ruling out a stealth-based assault.

The flaw affecting Zoom’s MacOS client, meanwhile, does not allow for remote code execution and is therefore less threatening to end users.

In a written statement, Zoom confirmed it is investigating the zero-days but disputed the legitimacy of the rumours.

“Zoom takes user security extremely seriously. Since learning of these rumours, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” said the firm.

“To date, we have not found any evidence substantiating these claims,” it added.

Via Motherboard

Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.