Hackers are selling two Zero-Day Vulnerabilities of Zoom Video Conferencing Software, one for Windows and another for MacOS.
A Zero-day vulnerability is a software security vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is fixed, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.
According to a report by Motherboard, “I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang,” said the source, who estimated the exploit to be worth around half the asking price.
“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement. “To date, we have not found any evidence substantiating these claims.”
The zero-day for Zoom on Windows would allow hackers to access the app, but would need to be coupled with another bug to access the whole machine. The MacOS one is not an RCE, according to the two anonymous sources.
The asking price for the zero-day for the Zoom Windows app is $500,000, according to one of the sources, who deals with the procurement of exploits but has decided not to purchase this one, said Motherboard.
Previously, the FBI had issued a warning about Zoom hijacking. The U.S senate has also given advise to government agencies not to use Zoom.
Today, in this period of global lockdown due to COVID-19 everyone is using video conferencing software for personal use, meetings, teaching. We know that Bugs can be found in any software but recently Zoom is being exposed badly.
Top Companies Banned Zoom
- Google has banned the Zoom video conferencing software for its employee laptops, and said it doesn’t meet security standards.
- Elon Musk’s rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing “significant privacy and security concerns,”.
- Stanchart and Siemens told its staff to not use Zoom video Conferencing Software.
- Standard Chartered Bank issued notice to their staff.
“Zoom Not Safe” Indian Government Warns People On Video Conference Service, NDTV reported.
“Zoom is not a safe platform even for usage of individuals, a detailed advisory has already been issued by CERT-India,” the home ministry said in a new advisory.
“Most of the settings can be done by login into users zoom account at website, or installed application at PC/Laptop/Phone and also during conduct of conference. However certain settings are possible through certain mode/channel only,” the guidelines from the Union home ministry read.
Zoom User Credentials Hacked
Two days ago, a report said that the Zoom user credentials got hacked, which includes Zoom user’s email address, password, personal meeting URL, and their host key — a six-digit pin tied to the owner’s Zoom account, which is used to claim host controls for a meeting. And some of these account details belong to high-profile companies including Chase and Citybank, according to Cyble, which checked the veracity of the accounts belonging to some of their clients and confirmed they were valid.
Zoom Responds and Committed
- Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:
- Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing our current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
Zoom upgraded their Security Plan
New Security icon in the meeting controls
The newly released Security icon in the toolbar provides Zoom Meetings hosts and co-hosts with one-click access to a number of existing Zoom security features, including Lock Meeting and Enable the Waiting Room.
Enhanced meeting password complexity
Account owners and admins can now configure minimum meeting password requirements to include numbers, letters, and special characters, or allow only numeric passwords. Free Basic account users will now use alphanumeric passwords by default instead of numeric passwords.
Bug bounty program with Katie Moussouris of Luta Security
Zoom will be working with Luta Security to reboot our bug bounty program. Luta Security was founded by Katie Moussouris, who created some of the most important vulnerability programs still running today. She started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft’s and the Pentagon’s bug bounty programs. Luta Security will be assessing Zoom’s program holistically with a 90-day “get well” plan, which will cover all internal vulnerability handling processes.
In the first week of month, UNC Path Injection Vulnerability found in Zoom.
Hackers could steal your Windows Credentials. Once clicked, the attack would eventually allow the attacker-controlled SMB share to automatically capture authentication data from Windows, without the knowledge of the targeted user. Afterthat Zoom has fixed this vulnerability.