Hackers selling Zoom Windows and Mac exploits online

(Image credit: Zoom Video Communications)

Exploits for serious vulnerabilities affecting Zoom for Windows and MacOS are available online after being putting up for sale by hackers, security experts have warned.

The vulnerabilities are classed as zero-days (or 0-days), which means the vendor is unaware of their existence in its code and therefore temporarily powerless to prevent their exploitation.

The zero-day present in Zoom’s Windows application reportedly allows the hackers to execute code on the target device remotely, and is listed for purchase online for at $500,000.

Dashlane Premium
Dashlane Password Manager, now with a free VPN

Make careless data decisions history with our dark web monitoring and alerts. Get Dashlane for seamless, private 'interneting' with 2FA (two-factor authentication) by default. Your privacy matters to us‎ so that’s why there's no limit on devices or passwords stored or shared.

Zoom security issues

Zoom’s security standards have come under scrutiny in recent weeks, amplified by the explosion in users brought about by coronavirus quarantine measures.

Researchers have uncovered a litany of vulnerabilities -  from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development to focus on eliminating security flaws.

According to anonymous sources, who have not examined the code first hand but have spoken with the selling party, the two new exploits vary in potency.

The zero-day present in Zoom for Windows could be used to gain access to the application, but not the device it’s held on. To abuse the bug, the hacker would also need to join the same video conference as the victim, ruling out a stealth-based assault.

The flaw affecting Zoom’s MacOS client, meanwhile, does not allow for remote code execution and is therefore less threatening to end users.

In a written statement, Zoom confirmed it is investigating the zero-days but disputed the legitimacy of the rumours.

“Zoom takes user security extremely seriously. Since learning of these rumours, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” said the firm.

“To date, we have not found any evidence substantiating these claims,” it added.

Via Motherboard

TOPICS
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Latest in News
iPad Air M3
The new iPad Air M3 is good value – but I’d still buy this iPad Pro model instead
A piece of paper with the words 'an HBO Original film' on it next to a pile of snow
Jesse Armstrong’s next HBO Original sounds like another Succession-style satire starring Steve Carrell and Jason Schwartzman
The Samsung Galaxy Ring in Titanium Silver
A future Samsung Galaxy Ring could have a feature to stop you burning yourself on your morning coffee
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again
CorelDraw Go homepage showing design examples
Adobe arch-rival unveils online graphic design tool for beginners - and yes, it has a subscription
Android Auto
Android Auto is about to get a big Gemini upgrade – and there's good news and bad news