As more people work from home during this pandemic, many individuals and companies are utilizing Zoom. However, security researchers discovered two zero-day vulnerabilities on the teleconferencing app. News of these vulnerabilities come after users expressed concern over their privacy.
The flaws were reportedly discovered by Jamf security researcher Patrick Wardle. Wardle said that given the track record of the teleconferencing app and the company’s security policy, users shouldn’t be surprised over the said vulnerabilities.
According to Threat Post, the two zero-day vulnerabilities could allow hackers potential access to root privileges. Moreover, the flaws also allow outside and unauthorized access to users’ microphones and cameras.
In particular, one flaw stemmed from the Zoom installer system. Based on Tech Crunch’s report, the company uses what the article calls a “shady” approach to install Mac malware onto the user’s system without physically gaining access to the computer.
Local attackers with low-level user privileges can supposedly gain user privileges of the highest level with the installer vulnerability. Once hackers have access to the workings of the computer, these attackers are free to install malware or spyware into the said system, notes Tech Crunch.
Wardle states the local, non-privileged attacker could authorize this approach and subsequently gain root access as the runwithroot script would not be validated by the user itself, states Threat Post.
Apart from the app’s installer flaw, there is another vulnerability that Wardle and his team found. Attackers allegedly have access to Zoom mic and camera use, allowing these individuals to record meetings and view the users’ personal happenings and lives.
While Zoom requires users to provide consent prior to using its webcam and microphone, attackers can supposedly program a malicious code into the user’s system. This malicious code tricks the Zoom system to providing access to the webcam and microphone, notes Tech Crunch.
Wardle said, “No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video.”
As of Thursday, April 2, 2020, the vulnerabilities were patched by Zoom, as stated in its blog post. In an announcement, Eric S. Yuan, founder and chief executive officer of Zoom, said that “Transparency has always been a core part of our culture.”
Yuan also said, “I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of heir own to best use and protect themselves on the platform.”
Aside from fixing the flaws, Yuan and his Zoom team have also addressed a slew of other privacy and technical issues raised by users and security researchers.