Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]

1. Abode
2. News
3. Security

Huge Zoom flaw lets hackers completely have over your Mac or PC [updated]

(Image credit: Shutterstock)

Updated with annotate from Zoom.

There's a make-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you only sit by and lookout man — but so far, only a scattering of people know how it works.

Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (Apr 7) as part of the twice-yearly Pwn2Own hacking competition.

• Zoom security issues: Hither's everything that's gone incorrect (and so far)
• Don't miss our Acer ConceptD vii Ezel review
• How to set a Zoom meeting

In fact, Keuper and Alkemade chained together three unlike flaws — some of which may have been previously known — to proceeds complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making sure the Zoom app was running.

Here's a tweet from the Pwn2Own competition displaying an animation of the hack in action. The sudden launch of the reckoner app shows that the researchers take gained command of the machine. Merely the animation offers no inkling most how Keuper and Alkemade pulled it off.

We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here'south a improve gif of the issues in action. #Pwn2Own #PopCalc motion-picture show.twitter.com/nIdTwik9aWApril 7, 2021

See more

The exploit also works on the Zoom desktop client for Mac, explained Malwarebytes researcher Pieter Arntz in a web log post. However, the browser version of the Zoom coming together customer is non afflicted.

Zoom itself is a major sponsor of this twelvemonth's Pwn2Own contest. There's been no mention of the exploit on the Zoom website yet, but nosotros tin can exist pretty certain Zoom's own people are working to prepare this flaw every bit quickly as possible. Nether Pwn2Own rules, software developers have 90 days to prepare flaws revealed during the competition.

For their trouble, Keuper and Alkemade received $200,000, no dubiousness a dainty supplement to their day jobs at Dutch cybersecurity house Computest.

As long as Keuper, Alkemade and the Zoom security squad stay tight-lipped about how this exploit works, there's fiddling take a chance that hackers volition apply it to hijack computers running Zoom.

What y'all can do

If you want to play it safety for at present, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you to install the desktop app when joining a coming together online, but yous tin can ignore that.)

The Pwn2Own competition, now run by Trend Micro's Zero Twenty-four hours Initiative team, has been running since 2007.

White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a live audience. Winners must share their methods privately with the developers of the software they've hacked.

Update: Zoom statement

Zoom reached out to united states of america after this story was first published to provide this statement:

"We give thanks the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We have security very seriously and profoundly appreciate the research from Computest.

We are working to mitigate this issue with respect to Zoom Conversation, our group messaging production. In-session conversation in Zoom Meetings and Zoom Video Webinars are non impacted by the effect. The assault must as well originate from an accustomed external contact or be a part of the target's same organizational account.

As a best do, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you lot remember y'all've found a security upshot with Zoom products, please send a detailed study to our Vulnerability Disclosure Program in our Trust Middle."

Paul Wagenseil is a senior editor at Tom'southward Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-booty commuter, code monkey and video editor. He'due south been rooting around in the information-security space for more than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television set news spots and even moderated a panel give-and-take at the CEDIA abode-applied science conference. You tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/zoom-security-flaw-pwn2own

Posted by: jacksonunarver.blogspot.com

Share this post