There’s a brand-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you just sit by and watch — but so far, only a handful of people know how it works.
Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (April 7) as part of the twice-yearly Pwn2Own hacking competition.
In fact, Keuper and Alkemade chained together three different flaws — some of which may have been previously known — to gain complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making sure the Zoom app was running.
Here’s a tweet from the Pwn2Own competition displaying an animation of the hack in action. The sudden launch of the calculator app shows that the researchers have gained control of the machine. But the animation offers no clue about how Keuper and Alkemade pulled it off.
We’re still confirming the details of the #Zoom exploit with Daan and Thijs, but here’s a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aWApril 7, 2021
The exploit also works on the Zoom desktop client for Mac, explained Malwarebytes researcher Pieter Arntz in a blog post. However, the browser version of the Zoom meeting client is not affected.
Zoom itself is a major sponsor of this year’s Pwn2Own competition. There’s been no mention of the exploit on the Zoom website yet, but we can be pretty sure Zoom’s own people are working to fix this flaw as quickly as possible. Under Pwn2Own rules, software developers have 90 days to fix flaws revealed during the competition.
For their trouble, Keuper and Alkemade received $200,000, no doubt a nice supplement to their day jobs at Dutch cybersecurity firm Computest.
As long as Keuper, Alkemade and the Zoom security team stay tight-lipped about how this exploit works, there’s little chance that hackers will use it to hijack computers running Zoom.
What you can do
If you want to play it safe for now, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you to install the desktop app when joining a meeting online, but you can ignore that.)
The Pwn2Own competition, now run by Trend Micro’s Zero Day Initiative team, has been running since 2007.
White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a live audience. Winners must share their methods privately with the developers of the software they’ve hacked.