Date:12/04/21
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system.
The user did not need to click anything for the attack to successfully hijack their computer.
According to MalwareBytes Labs, which cited a response from Zoom, the attack needed to originate from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemade won $200,000 for their discovery. This was the first time the competition featured the “Enterprise Communications” category—given how acquainted all of us are with our screens because of covid-19, it’s no wonder why—and Zoom was a participant and sponsor of the event.
In a statement on Keuper and Alkemade’s win, Computest said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.
“Zoom took the headlines last year because of various vulnerabilities. However, this mainly concerned the security of the application itself, and the possibility of watching and listening along with video calls. Our discoveries are even more serious. Vulnerabilities in the client allowed us to take over the entire system from users,” Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There were the Zoom Bombings that took advantage of Zoom’s then-lax screening measures to dump clips of porn and Nazi memorabilia into unsuspecting Zoom meetings. It also barely launched end-to-end encryption in October, after a whole lot of confusion over whether it actually supported it or not.
Zoom told Gizmodo on Saturday that it was not aware of any incidents in which malicious actors had exploited the vulnerabilities found by the researchers.
“On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesperson said. “This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues. Zoom is also not aware of any incident in which a customer was exploited by these issues.”
Security researchers find Zoom vulnerabilities that would have let bad actors take over your computer
A pair of security researchers revealed several zero-day vulnerabilities in Zoom in recent days that would have let hackers take over someone’s computer even if the victim hadn’t clicked anything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users did not need to take additional action.The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system.
The user did not need to click anything for the attack to successfully hijack their computer.
According to MalwareBytes Labs, which cited a response from Zoom, the attack needed to originate from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemade won $200,000 for their discovery. This was the first time the competition featured the “Enterprise Communications” category—given how acquainted all of us are with our screens because of covid-19, it’s no wonder why—and Zoom was a participant and sponsor of the event.
In a statement on Keuper and Alkemade’s win, Computest said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.
“Zoom took the headlines last year because of various vulnerabilities. However, this mainly concerned the security of the application itself, and the possibility of watching and listening along with video calls. Our discoveries are even more serious. Vulnerabilities in the client allowed us to take over the entire system from users,” Keuper said in a statement.
In case you forgot, Zoom wasn’t exactly synonymous with security last year. There were the Zoom Bombings that took advantage of Zoom’s then-lax screening measures to dump clips of porn and Nazi memorabilia into unsuspecting Zoom meetings. It also barely launched end-to-end encryption in October, after a whole lot of confusion over whether it actually supported it or not.
Zoom told Gizmodo on Saturday that it was not aware of any incidents in which malicious actors had exploited the vulnerabilities found by the researchers.
“On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product,” a Zoom spokesperson said. “This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues. Zoom is also not aware of any incident in which a customer was exploited by these issues.”
Views: 6030
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World