According to a recent report, hackers are selling two critical vulnerabilities for the video conferencing software Zoom that could allow people to gain access to private accounts and spy on calls. The price for an exploit that would allow a hacker to take control of a Zoom user’s computer is reportedly $500,000.
Vice News reports that hackers are selling two vulnerabilities for the video conferencing software Zoom that could allow people to gain access to users’ private accounts and calls. The two vulnerabilities are called zero-days, which refers to computer system vulnerabilities that have not been patched or made public, in Zoom’s Windows and MacOS clients.
Vice News previously reported that since the boost in Zoom usage due to the coronavirus pandemic, interest in zero-day exploits for the app has increased significantly. Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days, commented on the interest in Zoom exploits stating: “From what I’ve heard, there are two zero-day exploits in circulation for Zoom. […] One affects OS X and the other Windows. I don’t expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”
Two other sources confirmed to Vice News that the Zoom zero-day exploits do indeed exist, one source who is a veteran of the cybersecurity industry stated: “[The Windows zero-day] is nice, a clean RCE [Remote Code Execution]. Perfect for industrial espionage.”
Remote Code Execution exploits are highly valuable bugs as they allow hackers to gain access to systems without having to rely on the target falling for a phishing attack. These attacks allow hackers to execute code on the target computer. The asking price for the zero-day for the Zoom Windows app is $500,000 according to once source.
The source stated that the exploit requires hackers to be in a call with the target which makes it less valuable for a government spy agency that aims to avoid detection. The source estimated that the exploit was worth around half the asking price, stating: “I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang.”
The MacOS exploit is not an RCE which makes it less dangerous and harder to use according to two sources. Zoom commented on the existence of the hacks stating: “Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them. To date, we have not found any evidence substantiating these claims.”
Breitbart News recently reported that the CEO of the video conferencing company apologized in a blog post over the various security issues that its 200 million daily users are facing on the platform. CEO Eric Yuan announced a number of measures that the company is taking to make the app more secure as millions of Americans use the app to work and study from home. Breitbart News covered the criticism of the company over its lack of action on “Zoom bombing.”
Zoom’s usage has exploded since the beginning of the Wuhan coronavirus pandemic in January as many worldwide are forced to work or attend school from home, using the app for group meetings and online classes. In the blog post, Yuan stated that usage had increased by 1,900 percent with 200 million daily free and paying users in March up from 10 million at the end of December.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address lucasnolan@protonmail.com