Alleged Zoom Zero-Days for Windows, MacOS for Sale, Report

Alleged Windows flaw allows for remote code execution and is being flogged for $500,000.

Hackers claim they have discovered two zero-day vulnerabilities for the Zoom video conferencing platform that would allow threat actors to spy on people’s private video conferences and further exploit a target’s system.

Flaws target Zoom clients for the Windows and the MacOS operating system, according to a published report by Vice Motherboard. According to the report, the hackers are asking $500,000 for the Windows exploit. The article cites two unnamed cybersecurity zero-day brokers who claim hackers have approached them in an attempt to sell the zero-day code.

It’s important to note, the Motherboard report states brokers have not reviewed the actual zero-day code and are basing opinion on what hackers are claiming to have for sale. According to the article, hackers allege the Windows-based exploit is a Remote Code Execution bug that would need to be chained to an additional exploit to infiltrate a target’s system. As for the macOS-base Zoom zero-day,  it can only be executed locally, meaning it is not a RCE-class bug, according to the report.

In a statement to Motherboard, Zoom said it could not find evidence substantiating the claims made by the publication. One of the Motherboard sources speculated the hackers behind the alleged exploits are “just kids who hope to make a bang”.

The Windows code could be a significant threat to Zoom users, according to experts quoted by Motherboard. “[It is] a nice, a clean RCE perfect for industrial espionage.”

The Windows-based zero-day exploit includes an additional prerequisite that requires the attacker to be a Zoom meeting participant with its target to launch the alleged attack.

Earlier this month, Zoom did patch two zero-day flaws in its macOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone and camera.

Zoom Woes Have Been Mounting 

There is already evidence that Zoom enterprise and business users have been compromised by hackers. Last week, researchers uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials, including usernames and passwords for Zoom corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers and software vendors.

News of the vulnerabilities is the latest issue to plague Zoom since a surge in its use over the last month or so since governments around the world issued stay-at-home orders in the wake of the COVID-19 pandemic. Usage of the video-conferencing service has skyrocketed as millions have turned to the free platform to connect with friends, host work meetings, attend school lessons and do myriad other online activities.

ZoomBombing became the initial way hackers would break into video conferences, using the ease with which they could access links to Zoom conferences and jump on calls uninvited to disrupt them with pornography, hate speech or even physical threats to users.

Zoom eventually made a tweak to its user interface by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat actors. Before the tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels.

A raft of other security threats emerged soon after, forcing Zoom to take action to mitigate and eliminate these threats. Zoom eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.

The company is currently facing a class-action lawsuit filed last week by one of its shareholders which alleges that the company made “materially false and misleading statements” that overstated its privacy and security measures, and claims that Zoom didn’t disclose its lack of end-to-end encryption.

All of these mounting woes inspired Zoom last week to recruit an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel as well as name third-party expert security advisory teams to help clean up its act.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles