Security researchers discover critical vulnerability in Zoom during Pwn2Own, wins $200,000
A zero-day vulnerability in video conferencing platform Zoom which can be used by cybercriminals to launch remote code execution (RCE) attacks has been discovered by security researchers.
The vulnerability was discovered as part of a contest, Pwn2Own, organised by cybersecurity firm Trend Micro’s Zero Day Initiative (ZDI). It is a contest designed for white-hat cybersecurity professionals who compete in the discovery of vulnerabilities in popular software and services.
The winning, from the Netherlands-based Computest, won $200,000 for the discovery.
“Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own,” Zero Day Initiative tweeted on Thursday.
This latest competition witnessed participation of 23 separate representatives, targeting 10 different products in the categories of web browsers, virtualisation, servers, local escalation of privilege, and enterprise communications.
The specific technical details of the vulnerability have not been made public as Zoom has not yet had time to patch the security issue, ZDNet reported.
In vulnerability disclosure programmes, it is a standard practice to offer vendors a 90-day window to fix a newly discovered security issue.
As noted by Malwarebytes, the attack works on the Windows and Mac version of the Zoom software, but it does not affect the browser version.
It is not clear whether the iOS- and Android apps are vulnerable since Keuper and Alkemade did not look into those, according to the report.
In a statement to Tom’s Guide, Zoom expressed its gratitude to the winning team saying the company was “working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue”.