Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]

1. Home
2. News
3. Security

Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]

(Epitome credit: Shutterstock)

Updated with comment from Zoom.

There's a brand-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you just sit down by and watch — merely so far, only a handful of people know how it works.

Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (April 7) equally function of the twice-yearly Pwn2Own hacking competition.

• Zoom security issues: Here's everything that's gone incorrect (so far)
• Don't miss our Acer ConceptD seven Ezel review
• How to gear up a Zoom meeting

In fact, Keuper and Alkemade chained together three dissimilar flaws — some of which may take been previously known — to gain complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making certain the Zoom app was running.

Here's a tweet from the Pwn2Own competition displaying an animation of the hack in action. The sudden launch of the estimator app shows that the researchers have gained command of the motorcar. Just the animation offers no inkling about how Keuper and Alkemade pulled it off.

We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here'south a meliorate gif of the issues in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aWApril 7, 2021

Come across more

The exploit besides works on the Zoom desktop customer for Mac, explained Malwarebytes researcher Pieter Arntz in a blog post. However, the browser version of the Zoom meeting client is not affected.

Zoom itself is a major sponsor of this year'south Pwn2Own competition. There's been no mention of the exploit on the Zoom website yet, but we can be pretty sure Zoom'south own people are working to set up this flaw equally quickly equally possible. Nether Pwn2Own rules, software developers have 90 days to fix flaws revealed during the competition.

For their trouble, Keuper and Alkemade received $200,000, no doubtfulness a nice supplement to their day jobs at Dutch cybersecurity firm Computest.

Every bit long as Keuper, Alkemade and the Zoom security team stay tight-lipped about how this exploit works, there'due south little chance that hackers volition utilise it to hijack computers running Zoom.

What you tin can practise

If you want to play it condom for now, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you lot to install the desktop app when joining a meeting online, merely you tin ignore that.)

The Pwn2Own competition, now run by Trend Micro'due south Goose egg Day Initiative team, has been running since 2007.

White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a alive audience. Winners must share their methods privately with the developers of the software they've hacked.

Update: Zoom argument

Zoom reached out to u.s.a. later this story was beginning published to provide this argument:

"We thank the Zero Day Initiative for allowing united states of america to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful piece of work performed by security researchers. We take security very seriously and greatly appreciate the inquiry from Computest.

Nosotros are working to mitigate this issue with respect to Zoom Chat, our grouping messaging product. In-session conversation in Zoom Meetings and Zoom Video Webinars are not impacted by the effect. The attack must also originate from an accustomed external contact or be a part of the target's same organizational business relationship.

Every bit a all-time practice, Zoom recommends that all users merely accept contact requests from individuals they know and trust. If you call back y'all've found a security issue with Zoom products, please send a detailed written report to our Vulnerability Disclosure Program in our Trust Middle."

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-haul driver, lawmaking monkey and video editor. He'southward been rooting effectually in the information-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random Tv news spots and even moderated a panel word at the CEDIA dwelling house-technology briefing. You lot can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/zoom-security-flaw-pwn2own

Posted by: spencerkedis1965.blogspot.com

Share this post