At DEF CON 28, which was held online this year, researcher Mazin Ahmed demonstrated a number of vulnerabilities affecting the popular video conferencing application Zoom.
Zoom’s popularity has grown rapidly over the past year, from 10 million active users in early 2019 to over 200 million by mid-2020.Organizations around the world use Zoom for remote work. The UK government even used Zoom for cabinet meetings. Zoom has found itself in virtually every area of online life today.
Zoom’s popularity has made it a desirable target for hackers and the security community. For example, was actively used a bug that allowed brute forcing a password to someone else’s conference. We also wrote that Cybercriminals Sell Exploits for 0-Day Zoom Vulnerability.
Two vulnerabilities affected the Zoom Linux client and allowed an attacker with access to a compromised system to read and extract Zoom user data, as well as run hidden malware.
For some attacks, an attacker must compromise the victim’s device in some other way in advance, but this does not diminish the severity of the problems victim would encounter”, – notes Mazin Ahmed.
For example, one of the vulnerabilities is related to Zoom Launcher for Linux. It allowed an attacker to run unauthorized software disguised as Zoom executable files, thereby bypassing application whitelisting and allowing the malware to act as software from a trusted vendor (in this case, Zoom).
Also, an attacker with access to the victim’s machine could read and steal Zoom user data and configuration data simply by accessing the local database. Worse, the hacker could even access the chat messages that were stored on the system in plain text.
Ahmed also discovered issues with Kerberos authentication service (ca01.idm.meetzoom.us) and TLS/SSL, as well as a data leak rooted in the old ImageMagick vulnerability (CVE-2017-15277), the exploitation of which involves downloading a malicious GIF file to the user profile.
However, the developers of Zoom refused to acknowledge the latest vulnerability, saying that they did not use the problematic utility to convert GIF files to JPEG at all.
Ahmed informed the company about the problems in several stages, in April and July of this year, and the developers have eliminated these shortcomings only recently, on August 3, 2020, with the release of version 5.2.4.
According to the developer, he did not receive not a penny for investigating vulnerabilities in Zoom.