An exploit for a zero-day remote code execution vulnerability affecting the Zoom Windows client is currently being sold for $500,000, together with one designed to abused a bug in the video conferencing platform’s macOS client.
Zero-days are vulnerabilities that haven’t yet been patched by the affected software or hardware vendor and that allow attackers to compromise any targets running or using the unpatched products.
While there is no fixed price for exploits abusing this type of security flaws, some exploit acquisition platforms such as Zerodium pay exploit developers between $2,000 to $2,500,000, depending on the “on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit.”
Up for sale via exploit brokers
While the exploits and their source codes aren’t yet public, sources familiar with the matter with experience on the zero-day exploit market “have been contacted by exploit brokers offering them for sale” as Motherboard first reported.
“From what I’ve heard, there are two zero-day exploits in circulation for Zoom. […] One affects OS X and the other Windows,” said Adriel Desautels, the founder of Netragard, a company that used to run an exploit acquisition platform, told Motherboard.
“I don’t expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered,” he added.
Motherboard further confirmed the existence of the two exploits for Zoom Windows and macOS zero-days by two other sources who wished to remain anonymous.
One of them said that the Windows zero-day is a remote code execution vulnerability that could allow potential attackers to execute arbitrary code on systems running a Zoom Windows client and even take full control of the device if coupled with other bugs.
The $500,000 price tag attached to this exploit might be justified as the independent source said that it’s “perfect for industrial espionage.”
The exploit requires the potential attackers to be in the same call as the target which drastically reduces its value from the point of view of a state-backed hacker and thus also lessens its appeal to those who might be in the market to buy such a tool.
“I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang,” one of the anonymous sources explained, while also saying that the price asked for the zero-day shouldn’t be over half of the current price tag.
The macOS exploit has less of a security impact as it doesn’t abuse an RCE bug based on the sources’ description.
“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” a statement from Zoom says. “To date, we have not found any evidence substantiating these claims.”
Measures taken to address security, privacy concerns
Zoom was affected by a series of issues since the start of 2020, having to patch a security vulnerability in January that could’ve enabled attackers to identify and join unprotected Zoom meetings.
As BleepingComputer reported on Monday, more than 500,000 Zoom accounts are being sold on hacker forums and on the dark web for less than a penny each, and, in some cases, also given away for free to be used in zoom-bombing pranks and various other malicious activities.
In late-March, Zoom removed the Facebook SDK from the Zoom iOS app after Motherboard reported that it collected and sent device info to Facebook’s servers.
In April, Zoom fixed macOS security issues uncovered by Patrick Wardle, as well as a UNC link issue that could’ve allowed attackers to steal users’ Windows NTLM credentials or remotely launch executables.
Zoom also clarified the confusion created around its platform’s encryption on the same day, and it also removed the attendee attention tracker feature and the LinkedIn Sales Navigator app to block unnecessary data disclosure.
These privacy and security issues affecting Zoom’s platform and software come on the heels of a sharp increase in new monthly active users since the start of 2020 after being adopted as the default video conference platform by millions of users who are working and learning from home during the pandemic.
Zoom-bombing is illegal
Starting April 4, Zoom enabled a Waiting Room feature allowing hosts to control when participants join meetings, it now requires a password when scheduling new meetings, instant meetings, or webinars, and has removed the meeting ID from the title bar when conducting meetings.
These measures were taken to provide Zoom users with defense tools against the rising threat of Zoom-bombing incidents according to an FBI warning from March.
The Department of Justice and Offices of the United States Attorneys also warned that Zoom-bombing is illegal in early-April and that those involved will be charged with federal and state crimes that can lead to fines and/or imprisonment.
BleepingComputer has an exhaustive guide on what the steps needed to properly secure online meetings from Zoom-bombing attacks.