Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security

Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 (vice.com) 38

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard reported Wednesday. From the report: The two flaws are so-called zero-days, and are currently present in Zoom's Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale. Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they're in, they can be sold for thousands or even millions of dollars.

Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic. "From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. "I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered."

This discussion has been archived. No new comments can be posted.

Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000

Comments Filter:
  • by gweihir ( 88907 ) on Wednesday April 15, 2020 @08:49PM (#59952826)

    It really seems that Zoom has managed to mess up everything with regards to security. Impressive. All to typical for current day software-"engineering" though. This mess has to stop.

    • by edi_guy ( 2225738 ) on Wednesday April 15, 2020 @09:12PM (#59952878)

      Zero days exist everywhere, every application, every OS.

      Zoom happens to be in the spotlight so are getting lots of attention from both new users and the black hats so the above seems harsh. Especially when we'retakling about a consumer grade product. We'll see what comes out of their immediate efforts to ramp up security. If they are all talk and no results, then they can be criticized for it, but for now they are publicly recognizing they have work to do and are presumably working on it. Disclosure, a zoom user for work and family. But not a shareholder.

      • by phantomfive ( 622387 ) on Wednesday April 15, 2020 @09:50PM (#59952962) Journal
        What did Zoom do before this month to ensure the security of their product?

        Did they use industry standard techniques like passwords, or setting the correct security headers in the browser to prevent XSS? Is Zoom using insecure practices that might allow an SQL injection (this should be 100% preventable)?

        Does Zoom employ anyone to look at their code and think about security?

        Does Zoom have an empty bug tracker, or is it overflowing, in such a way that security issues will get lost?

        Does Zoom keep their dependencies up to date? At this point, it's trivial to run an audit of your codebase's dependencies (Github will do it for you free, as one example).

        Does Zoom have their databases behind a firewall, or are they open to the public?

        There are things companies can and should do to avoid security flaws. Many of them aren't even expensive, and some of them (keeping the bug tracker empty) actually improve developement efficiency. These are reasons that companies should be liable if they don't follow the most basic security practices.
        • I agree with everything except keeping the bug tracker empty. Not all bugs are worth fixing.

          Given a choice between developing a new feature that will increase company value by 50% over the next 3 years and fixing every trivial S4 & S5 bug "just because", I'll take the 50%, thanks.
          • I agree with everything except keeping the bug tracker empty. Not all bugs are worth fixing.

            With well-written code bugs are rare, obvious, and easy to fix. The fact that your bug tracker is overflowing with bugs you call "trivial" is a sign that your codebase sucks. Specifically, it's poorly organized (meaning things are hard to find), interfaces are not well-defined, and in the worst case there is a lot of repeated code scattered throughout the system. Under those conditions, it is indeed impossible to write good code.

            How do you make things better? Start by fixing your bugs. That's how you lear

            • by Anonymous Coward
              complete and utter bullshit. Any product of sufficient size will have huge amounts of unresolved bugs no matter how well written. generally many of them are insignificant and not worth the time and effort to fix or are simply too expensive to resolve. The key is to have no ShowStopper/critical bugs, i.e. bugs that need to be fixed before you release.
          • Bugs must be triaged and moved to a new state. They can be closed as will-not-fix, or some state that moves it to a future milestone.

            Bugs in an open and unassigned state is not acceptable.

      • yes they exist everywhere, but that doesn't mean they should be low hanging fruit. Zoom seems to have ignored security completely up until the last few weeks so the problems are coming thick and fast.
        • by gweihir ( 88907 )

          yes they exist everywhere, but that doesn't mean they should be low hanging fruit. Zoom seems to have ignored security completely up until the last few weeks so the problems are coming thick and fast.

          Exactly. If they had one of the numerous problems (well, maybe not the account theft), than that would have been acceptable. But this mass? That is incompetence.

      • by gweihir ( 88907 )

        There is unavoidable, hard to find and hard to exploit vulnerabilities. These you get when you do sound software engineering. And then there is screwing up. And that is what Zoom did.

      • by DarkOx ( 621550 )

        Here is the thing; there has been lots of noise about Zoom and security; Its NOT a secure system. It has some basic control but in order to deliver all those nice features without massive bandwidth requirements at end points etc things like end to end encryption are simply not there. That isn't a criticism, its just recognition of what things are. To use a car analogy; I have both a pickup and sedan. You could probably put 15 bags of cement in the back of either and odds are you'd make it home from the home

      • Don't worry they have hired the guy who used to be responsible for Facebook's security.

    • by rtb61 ( 674572 )

      The mess will stop quite shortly, they are a public company with crappy insecure software, they go kaboom on the markets. My read on this to be honest, a bunch of Zoom executives looking to cash in on a dying company. Zoom are fucked, the marketing damage done by the bannings is terminal, tee hee (sorry fellas but yeah your company is a goner).

      • Zoom are fucked, the marketing damage done by the bannings is terminal, tee hee (sorry fellas but yeah your company is a goner).

        Unfortunately they'll probably survive. Cisco and Microsoft are still both here after forty years and look at all the CVE's they've had.

        • by rtb61 ( 674572 )

          Less competitors at that time and organisation were not banning them. Do security fuck ups now and the outcomes are pretty grim.

      • Which software do you use that's never had a critical zero day flaw?

        The companies and open source projects you used which did have zero day flaws: are they are gone? Did the price per share of the public companies crash on the news? Did the OS projects shrivel and die?

        Ok then... welcome to reality. Security flaws *very* rarely kill a company or open source project. Maybe never. Has anything ever died as a direct result of a zero day or other breach? I can't think of any. Can you?
    • Seriously, are they trying to insert security vulnerabilities with this piece of shit?
    • How much you want to bet these "zero-day" exploits are being peddled by their own employees/contractors?

    • Dude, if you think Zoom's security is bad, you should see facebook's. Every user on that platform is a complete open book to, well anyone.

      • by gweihir ( 88907 )

        Dude, if you think Zoom's security is bad, you should see facebook's. Every user on that platform is a complete open book to, well anyone.

        I will just trust you there. I never had an account with them, and by the GDPR they are criminals if they have any data about me. (I expect they are criminals though, fits the rest of their mind-set.)

  • by Anonymous Coward

    Maybe it's about time the western world (and really all non-CCP countries) get together and stop using Chinese software like Zoom and TikTok, especially when the former erroneously claimed to be an end-to-end encrypted service.

  • It's been well-known that Zoom is wildly insecure since at least last July. There have been plenty of warnings about using it. You're telling me that it's been getting more popular?

    Stupid, stupid people. Ignorant.

  • Best I can do is twenty bucks.
  • by Anonymous Coward

    Project zero person Natalie Silvanovich wrote on twitter

    "I peeked at the Android client this weekend, and it uses a ~6-year-old branch of WebRTC, so I have a feeling where these bugs might be"

    https://twitter.com/natashenka [twitter.com]

  • by Osgeld ( 1900440 ) on Thursday April 16, 2020 @08:53AM (#59954574)

    a fly by no name company selling one product with a 1 word name turns out to be absolute shit, the 1990's are calling you saying no shit don't use that garbageware dumbass

  • And Zoom still doesn't have a newer version, the latest one is 04/12/2020. They had just released another version 5 days before this.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...