Zoom’s meteoric rise in popularity has also drawn the close attention of hackers. Following the discovery of hundreds of thousands of Zoom passwords for sale online, news has broken of two zero-day vulnerabilities available for purchase.
The first zero-day targets Zoom for Windows and the other Zoom for Mac OS, with the former priced at $500,000, which experts see as hugely inflated given the limited severity of the flaw.
The Windows flaw is a remote code execution (RCE) zero-day, which means the hacker would be able to gain access to the application remotely, without the need to phish for credentials.
“The Windows zero-day is nice, a clean RCE…perfect for industrial espionage” an anonymous source, veteran of the cybersecurity industry, told Vice.
However, in order to gain access to the entire machine, the attacker would need to harness a second exploit in tandem, adding a layer of friction. The perpetrator would also need to join the victim’s video conference, eliminating the opportunity for a stealth-based attack.
The MacOS flaw is not an RCE and therefore poses less of a distinct threat.
Evaluating the vulnerabilities, one source explained the asking price is not proportional with the threat posed by the flaw.
“I don’t see how it makes sense compared to the concrete potential in terms of intelligence. I think it’s just kids who hope to make a bang.”