Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]

Zoom fatigue
(Image credit: Shutterstock)

Updated with comment from Zoom.

There's a brand-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you just sit by and watch — but so far, only a handful of people know how it works.

Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (April 7) as part of the twice-yearly Pwn2Own hacking competition

In fact, Keuper and Alkemade chained together three different flaws — some of which may have been previously known — to gain complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making sure the Zoom app was running.

Here's a tweet from the Pwn2Own competition displaying an animation of the hack in action. The sudden launch of the calculator app shows that the researchers have gained control of the machine. But the animation offers no clue about how Keuper and Alkemade pulled it off.

The exploit also works on the Zoom desktop client for Mac, explained Malwarebytes researcher Pieter Arntz in a blog post. However, the browser version of the Zoom meeting client is not affected.

Zoom itself is a major sponsor of this year's Pwn2Own competition. There's been no mention of the exploit on the Zoom website yet, but we can be pretty sure Zoom's own people are working to fix this flaw as quickly as possible. Under Pwn2Own rules, software developers have 90 days to fix flaws revealed during the competition.

For their trouble, Keuper and Alkemade received $200,000, no doubt a nice supplement to their day jobs at Dutch cybersecurity firm Computest. 

As long as Keuper, Alkemade and the Zoom security team stay tight-lipped about how this exploit works, there's little chance that hackers will use it to hijack computers running Zoom. 

What you can do

If you want to play it safe for now, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you to install the desktop app when joining a meeting online, but you can ignore that.)

The Pwn2Own competition, now run by Trend Micro's Zero Day Initiative team, has been running since 2007. 

White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a live audience. Winners must share their methods privately with the developers of the software they've hacked.

Update: Zoom statement

Zoom reached out to us after this story was first published to provide this statement:

"We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. 

We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target's same organizational account. 

As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you've found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.