At the recent Pwn2Own security conference, ethical hackers Daan Keuper and Thihs Alkemade from CompueTestSecurity exposed several Zero-day vulnerabilities within the Zoom desktop client. These vulnerabilities can allow hackers to execute random code on user's devices, causing mayhem.
For their work, Daan and Thijs were awarded $200,000 by Zoom. They stated, " that while earlier Zoom vulnerabilities allowed attackers to infiltrate the calls, their exploit was a lot more serious as it allows attackers to take over the entire system." The ethical hackers chained together three different vulnerabilities in Zoom, creating an exploit.
- The best Apple deals for April 2021
- Best gaming deals in April 2021
- The best cheap laptop deals of April 2021
Far more frightening is that they could take over the remote systems running the Zoom client unbeknownst to the user. That means the user wasn't required to click links or open any attachments. Keuper and Alkemade then had nearly full control of a user's computer remotely, which they demonstrated by turning on webcam and microphone features, reading user emails, finally downloading the victim's browser history.
Zoom, for their part, stated, "We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."
Zoom wasn't the only vulnerable video conferencing client as another ethical hacker claimed $200,000 for exposing vulnerabilities in Microsoft Teams. The latterwas very grateful, thus the large sum of money they awarded the ethical hacker.
With all this money being bandied about, it may be time to learn some hacking skills that I can use ethically to help pay for my kid's college tuition.