Researchers have found a particularly dangerous vulnerability in Zoom. The ‘remote code execution’ bug has been fixed in the meantime.
Hackers reveal their vulnerabilities in an extensive report on the company’s blog. This is a so-called ‘remote code execution’ vulnerability, with which you can, in principle, take over the victim’s computer via the Zoom app.
The hack uses three different bugs, including CVE-2021-30480, a long-known vulnerability that arises when connecting to a remote computer. Unfortunately, as the gentlemen of Sector 7 write, it required some coding to make that a workable hack as well, including by manipulating code in the forwarding of image links.
The victim must accept the attacker as contact via Zoom or work for the same organization for the hack to work. The hack worked on macOS and Windows.
The bug was found during an April hackathon, Pwn2Own, sponsored by the Zero Day Initiative with the collaboration of Zoom itself. Daan Keuper and Thijs Alkemade of Sector 7 won a prize of $ 200,000 with it. In the months since the game, Zoom has patched up the vulnerabilities.