Zoom, one of the popular video conferencing apps, has been under fire recently for sending data to Facebook, and encryption issues which allowed hackers to upload Zoom meeting recordings on YouTube, and sell Zoom account data on the dark web.
Now, a new report by Motherboard reveals that hackers are selling two critical Zoom zero-day exploits, one for Windows and one for macOS, priced at $500,000. These flaws allow attackers to hack Zoom user accounts and spy on their calls.
According to the publication’s sources, the actual code for these vulnerabilities haven’t been revealed to them, but they have been contacted by brokers for sale.
Recently, a spike in the demand for zero-days for Zoom has been observed. This is due to the fact that most of the communication between employees and executives at big companies around the world has shifted to Zoom, owing to coronavirus pandemic. And the nature of several such meetings tend to be sensitive or confidential — that can be leveraged by hackers or competitors.
Windows Zero-Day in Zoom
According to the sources, the Windows zero-day is basically an RCE (Remote Code Execution) which is a perfect tool for industrial espionage. In plain words, an RCE exploit allows attackers to access the victim’s whole device and not just the app they are targeting. That being said, the hackers would still need another bug to pair it with the RCE zero-day for launching an attack.
macOS Zero-Day In Zoom
The zero-day found on macOS is not an RCE, according to Motherboard’s sources. This makes it less dangerous and harder to use in a real attack.
Besides this, the report also says that both of these exploits require the attacker to be in a call with the victim. Thus, making it less useful for any spying agency that wants to attack in a sneaky manner and doesn’t want to get caught.
In response to the news of such exploits being sold, Zoom told Motherboard: “To date, we have not found any evidence substantiating these claims.”
Even if we keep these exploits aside, there a number of reasons to not use Zoom. Even companies like Google have banned using Zoom for official communication, so it’s better to opt for Zoom alternatives until all such issues are resolved.