Zoom is among the most used video conferencing apps and has gained a lot of users due to the ongoing coronavirus outbreak. But, there have been several security and privacy issues with the app and the team at Zoom is said to be trying to address all of them. Now, two “zero-day” flaws in the Zoom software have reportedly popped up online and exploits for these are being sold for huge sums of money. One of the flaws is present in the Windows version of Zoom client, whereas the other is part of the Zoom client for macOS.
According to a report by Motherboard, the exploit that takes advantage of ‘zero-day vulnerabilities’ in Zoom’s Windows client is up for sale via exploit brokers for $500,000 (roughly Rs. 3.83 crore). Zero-day flaws are unpatched and previously unknown vulnerabilities in a software or hardware.
Zoom vulnerabilities can allow someone to hack its users and spy on their calls, Motherboard states. The publication says three of its sources were contacted by brokers who were offering these exploits for sale.
“From what I’ve heard, there are two zero-day exploits in circulation for Zoom. […] One affects OS X and the other Windows.. I don’t expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered,” the report quotes Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days.
The exploit for Windows is a Remote Code Execution or RCE, as stated by one of the other two sources. These types of exploits allow hackers to execute code on the target’s computer without having to rely on a phishing attack that generally depends upon deceiving the target into sharing personal information like bank account details. RCE also allows hackers to access the target’s whole machine.
The exploit for Zoom for macOS is not RCE, “making it less dangerous and harder to use,” the report adds.
Zoom has responded to this report and said it did not find any evidence for these claims, Motherboard writes.