Updated with comment from Zoom.
There's a brand-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you just sit by and watch — but so far, only a handful of people know how it works.
Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (April 7) as part of the twice-yearly Pwn2Own hacking competition (opens in new tab).
- Zoom security issues: Here's everything that's gone wrong (so far)
- Don't miss our Acer ConceptD 7 Ezel review
- How to set up a Zoom meeting
In fact, Keuper and Alkemade chained together three different flaws — some of which may have been previously known — to gain complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making sure the Zoom app was running.
Here's a tweet from the Pwn2Own competition displaying an animation of the hack in action. The sudden launch of the calculator app shows that the researchers have gained control of the machine. But the animation offers no clue about how Keuper and Alkemade pulled it off.
We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aWApril 7, 2021
The exploit also works on the Zoom desktop client for Mac, explained Malwarebytes researcher Pieter Arntz (opens in new tab) in a blog post. However, the browser version of the Zoom meeting client is not affected.
Zoom itself is a major sponsor (opens in new tab) of this year's Pwn2Own competition. There's been no mention of the exploit on the Zoom website yet, but we can be pretty sure Zoom's own people are working to fix this flaw as quickly as possible. Under Pwn2Own rules, software developers have 90 days to fix flaws revealed during the competition.
For their trouble, Keuper and Alkemade received $200,000, no doubt a nice supplement to their day jobs at Dutch cybersecurity firm Computest.
As long as Keuper, Alkemade and the Zoom security team stay tight-lipped about how this exploit works, there's little chance that hackers will use it to hijack computers running Zoom.
What you can do
If you want to play it safe for now, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you to install the desktop app when joining a meeting online, but you can ignore that.)
The Pwn2Own competition, now run by Trend Micro's Zero Day Initiative team, has been running since 2007.
White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a live audience. Winners must share their methods privately with the developers of the software they've hacked.
Update: Zoom statement
Zoom reached out to us after this story was first published to provide this statement:
"We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest.
We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target's same organizational account.
As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you've found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."