Skip to main content

‘Zero-Click’ Zoom Vulnerabilities Could Have Exposed Calls

posted onJanuary 18, 2022
by l33tdawg
Wired
Credit: Wired

Most hacks require the victim to click on the wrong link or open the wrong attachment. But as so-called zero-click vulnerabilities—in which the target does nothing at all—are exploited more and more, Natalie Silvanovich of Google's Project Zero bug-hunting team has worked to find new examples and get them fixed before attackers can use them. Her list now includes Zoom, which until recently had two alarming, interactionless flaws lurking inside.

Though fixed now, the two vulnerabilities could have been exploited without any user involvement to take over a victim's device or even compromise a Zoom server that processes many users' communications in addition to those of the original victim. Zoom users have the option to turn on end-to-end encryption for their calls on the platform, which would keep an attacker with that server access from surveilling their communications. But a hacker could still have used the access to intercept calls in which users didn't enable that protection.

“This project took me months, and I didn't even get all the way there in terms of carrying out the full attack, so I think this would only be available to very well-funded attackers,” Silvanovich says. “But I wouldn’t be surprised if this is something that attackers are trying to do.”

Source

Tags

Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th