Zero-day exploits claim to let hackers spy on video calls
Details on how to exploit a pair of alleged vulnerabilities in the Zoom video conferencing platform are being offered for sale online by hackers.
That is the claim of three sources speaking to Motherboard, who say the exploits — one for PC and one for Mac — are being offered for sale through an online marketplace, priced at $500,000.
Both vulnerabilities are said to be in the most up-to-date versions of Zoom's PC and Mac applications, and are zero-days. This means they are vulnerabilities that are live now and have not yet been fixed.
Zoom recently grew a sizable target on its back for hackers, as the video conferencing platform quickly became the tool of choice for tens of millions of people stuck indoors during coronavirus lockdown.
As well as company executives and even senior members of government (including the British Prime Minister and his cabinet members), Zoom is being used by over 200 million people to keep in touch with each other. Zoom has become the go-to place for digital parties, quizzes, dates and even weddings as friends and family socialize through video chat like never before.
The Windows-based Zoom exploit was described by one source as "perfect for industrial espionage," while cybersecurity expert Adriel Desautels told Motherboard: "From what I've heard, there are two zero-day exploits in circulation for Zoom...One affects OS X and the other Windows."
However, Desautels said he didn't expect the exploits to work for long, because, "when a zero-day gets used it gets discovered."
Zoom recently suspended the development of new features and said it will focus exclusively on user privacy and security for 90 days. In response to the latest claim of zero-day exploits being offered for sale, the company said: "Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them. To date, we have not found any evidence substantiating these claims."
Despite millions of new users and a rising share price, Zoom has struggled to keep on top of security issues as usage of the service has ballooned among the business and education community, along with personal calls. One issue involved the way strangers could 'zoombomb,' where they can join a video chats of strangers, if passwords aren't required for that call, and guessing the web address.This issue has been fixes, as all Zoom calls now require a password by default. But Zoom has since been sued in the US. The New York-based class-action lawsuit accuses Zoom of not using end-to-end encryption on video calls, despite its website claiming the service does. A second lawsuit, in California, claims Zoom gives personal user data to outside companies, including Facebook, without fully disclosing the practice.