Exploits for serious vulnerabilities affecting Zoom for Windows and MacOS are available online after being putting up for sale by hackers, security experts have warned.
The vulnerabilities are classed as zero-days (or 0-days), which means the vendor is unaware of their existence in its code and therefore temporarily powerless to prevent their exploitation.
The zero-day present in Zoom’s Windows application reportedly allows the hackers to execute code on the target device remotely, and is listed for purchase online for at $500,000.
Zoom security issues
Zoom’s security standards have come under scrutiny in recent weeks, amplified by the explosion in users brought about by coronavirus quarantine measures. Researchers have uncovered a litany of vulnerabilities – from the opportunity for credential theft to app hijacking, malicious code injection and more – forcing the company to suspend product development to focus on eliminating security flaws.
According to anonymous sources, who have not examined the code first hand but have spoken with the selling party, the two new exploits vary in potency.
The zero-day present in Zoom for Windows could be used to gain access to the application, but not the device it’s held on. To abuse the bug, the hacker would also need to join the same video conference as the victim, ruling out a stealth-based assault.
The flaw affecting Zoom’s MacOS client, meanwhile, does not allow for remote code execution and is therefore less threatening to end users.
In a written statement, Zoom confirmed it is investigating the zero-days but disputed the legitimacy of the rumours.
“Zoom takes user security extremely seriously. Since learning of these rumours, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” said the firm.