The vulnerabilities were discovered by researchers Daan Keuper and Thijs Alkemade of Computest Security, a software company
The user did not have to click anything for the attack to successfully take over their computer. The error is shown in the action below.
We’re still confirming the details of the #Zoom exploit with Daan and Thijs, but here’s a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW
- Zero Day Initiative (@thezdi) April 7, 2021
According to MalwareBytes Labs, the attack must come fromfrom an accepted external contact or be part of the same organization account. This also affected Zoom Chat, the company's messaging platform, but did not impact in-session chat in Zoom meetings and Zoom video webinars.
Keuper and Alkemad won $200 for their discovery000. This was the first time the competition featured a Corporate Communications category - given the pandemic, it's no surprise why Zoom was a participant and sponsor of the event.
In a statement announcing Cooper and Alquemade's victory, the companyComputest reported that the researchers were able to take almost complete control of the target systems, performing actions such as turning on the camera, unmuting the microphone, reading email, checking the screen, and downloading browser history.
Zoom made headlines last yeardue to various vulnerabilities. However, this mainly concerned the security of the application itself, as well as the ability to view and listen along with video calls. Our discoveries are even more serious. The vulnerabilities in the client allowed us to take over the entire system from the users, ”Keuper said in a statement.
See also:
- Infrared radiation from human hands was used for encryption
- Created the first accurate map of the world. What's wrong with everyone else?
- In Death Valley, bacteria were found that were in evolutionary stagnation for millions of years