Dutch security researchers earned themselves $200,000 for reporting a zero-day vulnerability in Zoom which attackers can exploit to launch remote code execution (RCE) attacks, deploy additional payloads, and more.
Pwn2Own by the Zero Day Initiative is a contest during which white-hat cybersecurity professionals and teams compete for the best-discovered bug in popular software and services.
In the latest competition, among the 23 entries, competing in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege, the jury picked a Zoom bug discovered by Daan Keuper and Thijs Alkemade. The bug impacted only Zoom Chat, and not Video Conferences.
The two researchers from Computest demonstrated an attack chain of three steps that allowed RCE on a target machine with zero interaction from the user.
the specific technical details of the vulnerability will be secret until Zoom patches the bug. However, the researchers demonstrated in an animation of the attack how “an attacker” opened a calculator on a machine running Zoom by exploiting the bug.
The attack would be possible on both Windows and Mac versions of Zoom. It would not be possible with a browser version of the videoconferencing software. As for iOS or Android, it has not been tested on these mobile OSes.
Zoom thanked the two Dutch researchers and assured the company was “working to mitigate this issue with respect to Zoom Chat.”
“The attack must also originate from an accepted external contact or be a part of the target’s same organizational account,” Zoom added. “As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust.”
As is the standard practice in vulnerability disclosure programs, Zoom has 90 days to resolve the security issue.