Most hacks require the victim clicks on the wrong link or opens the wrong attachment. But the so-called no-click vulnerability—Where the target does nothing — is mining more and moreNatalie Silvanovich of Google’s Project Zero bug-hunting team worked to find new examples and fix them before attackers could use them. Her list now includes Zoomwhich until recently had two alarming, non-interactive vulnerabilities lurking within.
Although now fixed, these two vulnerabilities could have been exploited without any user involvement to take over the victim’s device or even compromise the Zoom server that handles a lot of information. user communications other than the original victim. Zoom users have the option to enable end-to-end encryption for their calls on the platform, which will prevent an attacker with access to that server from spying on their communications. But a hacker could still use access to intercept calls without the user having that protection enabled.
“This project took me months and I haven’t even finished implementing the full attack yet, so I think this will only be available to very well-funded attackers,” he said. Silvanovich said. “But I wouldn’t be surprised if this is what the attackers are trying to do.”
Silvanovich found zero-click and other vulnerabilities in several communication platforms including Facebook messages, Signal, Apple FaceTime, Google Duoand Apple’s IMessage. She said she’s never given much thought to reviewing Zoom, because the company has been adding a lot of pop-up notifications and other safeguards over the years to ensure that users don’t inadvertently join. call. But she says she was inspired to investigate the platform after a pair of researchers demonstrated a clickless Zoom at the Pwn2Own hack competition 2021 in April.
Silvanovich, who initially disclosed her findings to Zoom in early October, says the company has been extremely responsive and supportive of her work. Zoom fixed the server-side error and released an update for users’ devices on December 1. The company released a security bulletin and told WIRED that users should download the latest version of Zoom. .
Silvanovich says that most mainstream video conferencing services rely in part on open source standards, making it easier for security researchers to test them. But Apple’s FaceTime and Zoom are both completely proprietary, which makes it a lot harder to test their inner workings and potentially find bugs.
“The barrier to doing this research on Zoom is pretty high,” she said. “But I did find serious bugs, and sometimes I wonder if part of the reason I found them and other bugs wasn’t such a huge barrier to entry.”
You can join a Zoom call by getting a link to a meeting and clicking on it. But Silvanovich found that Zoom actually offers a much more open platform in which people can agree to become “Zoom Contacts” and then text or call each other through Zoom in the same way. you call or text someone’s phone number. The two vulnerabilities Silvanovich found can only be exploited for non-interactive attacks when the two accounts have each other in their Zoom Contacts. This means that the primary targets for these attacks will be people who are active Zoom users, personally or through their organization, and are used to interacting with Zoom Contacts.
