Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 (vice.com) 38
Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard reported Wednesday. From the report: The two flaws are so-called zero-days, and are currently present in Zoom's Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale. Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they're in, they can be sold for thousands or even millions of dollars.
Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic. "From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. "I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered."
Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic. "From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. "I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered."
The amount of incompetence is staggering (Score:3, Informative)
It really seems that Zoom has managed to mess up everything with regards to security. Impressive. All to typical for current day software-"engineering" though. This mess has to stop.
Re:The amount of incompetence is staggering (Score:5, Insightful)
Zero days exist everywhere, every application, every OS.
Zoom happens to be in the spotlight so are getting lots of attention from both new users and the black hats so the above seems harsh. Especially when we'retakling about a consumer grade product. We'll see what comes out of their immediate efforts to ramp up security. If they are all talk and no results, then they can be criticized for it, but for now they are publicly recognizing they have work to do and are presumably working on it. Disclosure, a zoom user for work and family. But not a shareholder.
Re:The amount of incompetence is staggering (Score:4, Informative)
Did they use industry standard techniques like passwords, or setting the correct security headers in the browser to prevent XSS? Is Zoom using insecure practices that might allow an SQL injection (this should be 100% preventable)?
Does Zoom employ anyone to look at their code and think about security?
Does Zoom have an empty bug tracker, or is it overflowing, in such a way that security issues will get lost?
Does Zoom keep their dependencies up to date? At this point, it's trivial to run an audit of your codebase's dependencies (Github will do it for you free, as one example).
Does Zoom have their databases behind a firewall, or are they open to the public?
There are things companies can and should do to avoid security flaws. Many of them aren't even expensive, and some of them (keeping the bug tracker empty) actually improve developement efficiency. These are reasons that companies should be liable if they don't follow the most basic security practices.
Re: The amount of incompetence is staggering (Score:1)
Given a choice between developing a new feature that will increase company value by 50% over the next 3 years and fixing every trivial S4 & S5 bug "just because", I'll take the 50%, thanks.
Re: (Score:3)
I agree with everything except keeping the bug tracker empty. Not all bugs are worth fixing.
With well-written code bugs are rare, obvious, and easy to fix. The fact that your bug tracker is overflowing with bugs you call "trivial" is a sign that your codebase sucks. Specifically, it's poorly organized (meaning things are hard to find), interfaces are not well-defined, and in the worst case there is a lot of repeated code scattered throughout the system. Under those conditions, it is indeed impossible to write good code.
How do you make things better? Start by fixing your bugs. That's how you lear
Re: (Score:1)
Re: The amount of incompetence is staggering (Score:4, Insightful)
generally many of them are insignificant and not worth the time and effort to fix or are simply too expensive to resolve
If they are insignificant and too expensive to resolve, then that's a sure sign of a poorly designed system. The heuristic here is that simple changes should be simple and quick to make.
Re: The amount of incompetence is staggering (Score:4, Insightful)
complete and utter bullshit. Any product of sufficient size will have huge amounts of unresolved bugs no matter how well written.
Or is it that our standards have become so eroded that we believe that?
Re: The amount of incompetence is staggering (Score:2)
Bugs must be triaged and moved to a new state. They can be closed as will-not-fix, or some state that moves it to a future milestone.
Bugs in an open and unassigned state is not acceptable.
Re: (Score:2)
Ideally you have to write up something for why you won't fix something. And the overhead of the write up should be enough that it's sometimes easier to fix the bug than to explain why you aren't going to fix it.
Really you don't have to do any of these things. Quality software isn't mandatory. You can ship any old garbage and still make a ton of money. Eventually it catches up to you with a mountain of bugs, security problems, unhappy users, and an unhappy staff. Think of these as an ideal to meet. The day y
Re: (Score:2)
I noticed he totally ignored a 50% increase in revenue vs. his academic ideal of having a mythically perfect code base.
It's actually the opposite: a poor codebase slows you down to 10% of your earlier speed. Programming in that kind of codebase is like trying to walk through a river of molasses: it's really slow. This is an extreme example [youtube.com].
I'm not saying it has to be perfect, I'm saying it has to not suck. And fixing your bugs is the fastest way to get a codebase from sucking to not sucking.
Re: (Score:2)
Re: (Score:2)
yes they exist everywhere, but that doesn't mean they should be low hanging fruit. Zoom seems to have ignored security completely up until the last few weeks so the problems are coming thick and fast.
Exactly. If they had one of the numerous problems (well, maybe not the account theft), than that would have been acceptable. But this mass? That is incompetence.
Re: (Score:3)
There is unavoidable, hard to find and hard to exploit vulnerabilities. These you get when you do sound software engineering. And then there is screwing up. And that is what Zoom did.
Re: (Score:3)
Here is the thing; there has been lots of noise about Zoom and security; Its NOT a secure system. It has some basic control but in order to deliver all those nice features without massive bandwidth requirements at end points etc things like end to end encryption are simply not there. That isn't a criticism, its just recognition of what things are. To use a car analogy; I have both a pickup and sedan. You could probably put 15 bags of cement in the back of either and odds are you'd make it home from the home
Re: (Score:1)
Don't worry they have hired the guy who used to be responsible for Facebook's security.
Re: (Score:2)
The mess will stop quite shortly, they are a public company with crappy insecure software, they go kaboom on the markets. My read on this to be honest, a bunch of Zoom executives looking to cash in on a dying company. Zoom are fucked, the marketing damage done by the bannings is terminal, tee hee (sorry fellas but yeah your company is a goner).
Re: (Score:3)
Zoom are fucked, the marketing damage done by the bannings is terminal, tee hee (sorry fellas but yeah your company is a goner).
Unfortunately they'll probably survive. Cisco and Microsoft are still both here after forty years and look at all the CVE's they've had.
Re: (Score:2)
Less competitors at that time and organisation were not banning them. Do security fuck ups now and the outcomes are pretty grim.
Re: The amount of incompetence is staggering (Score:2)
The companies and open source projects you used which did have zero day flaws: are they are gone? Did the price per share of the public companies crash on the news? Did the OS projects shrivel and die?
Ok then... welcome to reality. Security flaws *very* rarely kill a company or open source project. Maybe never. Has anything ever died as a direct result of a zero day or other breach? I can't think of any. Can you?
Re: (Score:2)
Re: (Score:2)
How much you want to bet these "zero-day" exploits are being peddled by their own employees/contractors?
Re: (Score:2)
Dude, if you think Zoom's security is bad, you should see facebook's. Every user on that platform is a complete open book to, well anyone.
Re: (Score:2)
Dude, if you think Zoom's security is bad, you should see facebook's. Every user on that platform is a complete open book to, well anyone.
I will just trust you there. I never had an account with them, and by the GDPR they are criminals if they have any data about me. (I expect they are criminals though, fits the rest of their mind-set.)
Chinese Software (Score:1)
Maybe it's about time the western world (and really all non-CCP countries) get together and stop using Chinese software like Zoom and TikTok, especially when the former erroneously claimed to be an end-to-end encrypted service.
Not exactly news? Why are people using Zoom? (Score:2)
It's been well-known that Zoom is wildly insecure since at least last July. There have been plenty of warnings about using it. You're telling me that it's been getting more popular?
Stupid, stupid people. Ignorant.
$500,000? (Score:1)
Re: (Score:1)
speculation (Score:1)
Project zero person Natalie Silvanovich wrote on twitter
"I peeked at the Android client this weekend, and it uses a ~6-year-old branch of WebRTC, so I have a feeling where these bugs might be"
https://twitter.com/natashenka [twitter.com]
gee golly (Score:3)
a fly by no name company selling one product with a 1 word name turns out to be absolute shit, the 1990's are calling you saying no shit don't use that garbageware dumbass
Still no patch yet (Score:2)