Two Dutch hackers from Computest Security, Daan Keuper and Thijs Alkemade, have discovered critical security vulnerabilities in the video calling application Zoom. For discovering and reporting these critical security leaks, they will receive a reward of 200,000 dollars.
The security experts of Computest Security have found so-called zero-day vulnerabilities. These vulnerabilities have not been discovered before. The problems are so critical that hackers can remotely take over an entire system without the user noticing. The security problems are located in the Zoom client software that users have installed on their PC.
The ethical hackers managed to execute code on several computers. This enabled them to take over the entire system, gain access to all the data present, and gain access to the microphone and webcam. The user does not have to do anything for this. Only the presence of the Zoom client would be sufficient.
Keuper: “Zoom was already under fire last year because of the number of vulnerabilities. It was mainly about the security of the application itself and the possibility of watching and listening in on video calls. However, our discoveries go further. Due to vulnerabilities in the client, we were able to take over users’ entire systems. A serious privacy issue with which we qualified for participation in Pwn2Own and eventually won.”
We wrote an extensive article about Zoom’s problems early last year: Staggering: Zoom totally ignored security and privacy of customers. The company then took a lot of action to solve the problems. For 90 days, everything was put aside to improve security. New encryptions were applied, and various other measures were taken. We also reported on this at the time: How video platform Zoom got its security in check.
It appears that it was all insufficient, and Zoom is still struggling with the necessary security problems. Fortunately for Zoom, this time it involved ethical hackers. The 200,000 dollars compensation that the gentlemen receive for finding the problems and reporting them to Zoom is more than worth it. If these security leaks had fallen into the wrong hands, the damage would have been a lot worse.
Computest Security hackers were allowed to present their findings during the international hacker competition Pwn2Own, part of the security conference CanSecWest. Large technology companies such as Adobe, Google, Microsoft and Tesla have been participating in Pwn2Own for some time now to have their software tested by ethical hackers. Now that we have started working from home on a massive scale, the tools used for this purpose have become an attractive target for hackers. This made the organisation decide to add the new category Enterprise Communications this year. This was the first time that Zoom was included in the programme. Hopefully not for the last time.