A pair of Dutch hackers have secured $200,000 in reward money after discovering and demonstrating a zero-day flaw in Zoom’s videoconferencing software.
As Malwarebytes reports, the flaw was used during the latest Pwn2Own event, which is organized as a challenge to hackers by the Zero Day Initiative. Companies volunteer their software and services for participants to hack, and offer rewards for doing so in return. Everyone wins at Pwn2Own—hackers earn money legally for their skills, and developers can then make their software more secure before the exploit becomes public knowledge.
The hackers in question are Daan Keuper and Thijs Alkemade, both of whom work for cybersecurity company Computest. They actually combined three vulnerabilities to hack into a remote system during the challenge, which resulted in them being able to open the calculator app on the target machine. No interaction was required with a user to achieve this, there just needed to be a Zoom call in progress.
The exploit relied on a Remote Code Execution (RCE) flaw, which allows a hacker to execute any code they wish on a remote machine either on a local network or over the the internet. The fact it’s a zero-day flaw for Zoom makes it a very serious threat to the service. However, Zoom’s development team now has 90 days before the exploit is made publicly, which should be ample time to close the security hole and roll out a patch to millions of users.