Software vulnerability brokers are reportedly in possession of two zero-day Zoom video conferencing app exploits – one affecting Windows clients and the other impacting OS X clients – and they are looking to sell.
The Zoom for Windows vulnerability is a remote code execution bug that the hackers are offering for a hefty sum of $500,000, Motherboard/Vice has reported, citing three separate sources. The MacOs is not an RCE flaw and therefore is less critical and more difficult to leverage in an attack.
The Windows exploit reportedly would enable unauthorized access to the Zoom app, potentially allowing malicious actors, pranksters or corporate spies to join a call, albeit not in a particularly covert manner. Access to the machine running the app would require a second bug used in conjunction.
Zoom, of course, is in high demand as the world's workforce largely works from home while riding out the COVID-19 pandemic. This growing trend has shined a spotlight on deficiencies in Zoom app security, which has led to so-called Zoom bombings.
Two of Motherboard's sources are anonymous, but a third was identified as Netragard, a pen testing and red teaming company that once sold and traded zero-day bugs. Adriel Desautels, founder of the company, reportedly said, “I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.” None of the sources has seen the actual exploit code.
“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company reportedly said in a statement. “To date, we have not found any evidence substantiating these claims.”