Security researchers have discovered a zero-day vulnerability in video conferencing platform Zoom which can be used by cybercriminals to launch remote code execution (RCE) attacks.
The vulnerability was discovered as part of a contest, Pwn2Own, organized by cybersecurity firm Trend Micro’s Zero Day Initiative (ZDI), a program designed to reward security researchers for responsibly disclosing vulnerabilities.
The researchers from the Netherlands-based Computest won $200,000 for the discovery.
“Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own,” Zero Day Initiative tweeted on Thursday.
The competition included 23 separate entries, targeting 10 different products in the categories of web browsers, virtualisation, servers, local escalation of privilege, and enterprise communications.
The specific technical details of the vulnerability have not been made public as Zoom has not yet had time to patch the security issue, ZDNet reported.
In vulnerability disclosure programmes, it is a standard practice to offer vendors a 90-day window to fix a newly discovered security issue.
As noted by Malwarebytes, the attack works on the Windows and Mac versions of the Zoom software, but it does not affect the browser version.
It is not not clear whether the iOS- and Android-apps are vulnerable since Keuper and Alkemade did not look into those, according to the report.
While thanking the Computest researchers, Zoom, in a statement to Tom’s Guide, said the company was “working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue”.
