What Everyone Must Know About ZOOM SECURITY FLAW LETS HACKERS TAKE CONTROL OF YOUR PC, PATCH TO BE ISSUED SOONArticle by: Jonathan Service | | Posted on: Wed Apr 21 2021
The Zoom security glitch is quite critical in nature and was discovered by two Computest cybersecurity researchers at the Zero Day Initiative’s Pwn2Own bug bounty contest.
Zoom has already had its fair share of cybersecurity issues for a lifetime, and the video conferencing app took a while (and Alex Stamos) to steady its ship on the security front after finding unexpected popularity due to the Covid-19-necessitated work from home mandates. Now, it appears to still have retained a critical security flaw that could allow threat actors with intent to exploit the vulnerability and undertake a remote code execution (RCE) attack to take control of host PCs. The vulnerability was discovered by two Computest cybersecurity researchers at the recent Pwn2Own competition, organized by the Zero Day Initiative.
For the hack to work, the attacker first needs to be a part of the same organizational domain as the host PC’s user or needs to be permitted to join the meeting by the host – hence adding one layer of security, if not anything else. However, security and privacy advocates clearly know that social engineering attacks can quite clearly breach barriers such as feigning stolen identities to gain access to private conferences and meetings – although this represents a different cybersecurity debate altogether.
Nevertheless, with the Zoom vulnerability, once attackers were part of a meeting, they could execute a chain of three malware relays to install an RCE backdoor on the targeted PC. In simpler terms, the attackers can gain access to your PC, and subsequently, be able to execute remote commands that would then give them access to your sensitive files. What’s even more alarming here is that the attackers can carry out all of these actions without any user being required to do anything, therefore doing away with an added interaction layer that could have slowed down the potential of such attacks.
Computest researchers Daan Keuter and Thijs Alkemade were awarded a $200,000 (~Rs 1.5 crore) bounty for making the critical discovery, which was also one of the headlining finds of this year’s Pwn2Own. The attack works on both Windows and Mac, and Zoom’s iOS and Android apps haven’t been tested for it, yet. The browser version remains unaffected by it. Since Zoom is yet to patch the flaw, the exact technical details of the vulnerability have not been disclosed to the public, yet. The said patch should arrive on Zoom for Windows and Mac within the next 90 days.
Recently it seems that there has been a lot of top well-known websites and companies reporting hacks and vulnerabilities, I suppose the question you would ask is "Are these companies taking all necessary measures to protect my data?" The answer is hard to stomach as the recent Facebook hack shows some companies do not value our data as much as they should and definitely not as much as we value our own data. and the fact that Facebook will not notify the 533 million users exposed in online database shows that the value of our data is not an important concept to some big websites, it should be and now with The EU looking at Facebook with an investigation underway and [possible fines it is now they take notice of the severity of the situation.
I have some questions that not just me but all online users who value their privacy have.
Why is it when these breaches happen some websites only take notice when they are fined, are their data protection procedures robust enough?
Was the security of the site set up so that any breach could be detected?
When was this Hack/Breach detected?
How long before the announcement did the company know about the breach/hack?
These are important questions that must be answered and we need to know that they are answered satisfactorily, it is my opinion that too many websites gather more information than is required.
The more data they collect the more valuable to hackers it is, Should we be aware of what information is held on these sites? the answer is yes we should ourselves audit the sites we use and see what information is held and what is essential and what is not.