Zoom Cloud Meetings is a video conferencing app that recently took off reaching unrivalled heights during the ongoing COVID-19 (coronavirus) pandemic. However, this popularity has brought a number of new security and privacy issues in front of the public. The company has been hard at work trying to fix these flaws and win back the public. However, with each new day, we see the app getting hit by a new issue.
Now, two new zero-day flaws have surfaced according to a report by Motherboard. The first flaw is located inside of the Windows version of the client, whereas, the other flaw has been located inside of the macOS client. The expoilts have already made their way online and are being sold for huge amounts.
The Windows exploit is currently being sold by brokers and is priced at $5,00,000 (approximately Rs 3.83 crore). The report does not state the amount that is being asked for the macOS exploit.
It states that exploit for the Windows client is a Remote Code Execution (RCE), whereas, the one for the macOS client is not RCE, “making it less dangerous and harder to use.” This means that the macOS exploring will not be as valuable. Zero-Day vulnerabilities are vulnerabilities that have never been used.
An RCE exploit allows hackers to execute code on the target's computer without having to rely on a phishing attack. Using it hackers can gain full access to a user's machine.
“From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered,” Motherboard quoted Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days.
The report added that Zoom in a reply to their query said that they were not able to find any evidence for the claims made by the publication's sources.