Dutch hackers receive 200,000 dollars for discovering a major leak in Zoom

Keuper (33) and Alkemade (31), ethical hackers at cybersecurity company Computest, took part in the well-known hacking competition Pwn2Own. For that competition, hackers are allowed to hack a number of participating companies, including Zoom, for which they can receive a reward.

Leak in Zoom

The main prize for Zoom this year goes to the two Dutch hackers, who found a major leak in the Zoom program for Windows and MacOS. Via that leak they can take over a computer remotely if someone has Zoom on. The user does not have to do anything. Malicious people could use that leak to peek into the webcam (even if Zoom is off), steal sensitive files or host the device with ransomware.

The vulnerability has not yet been resolved, putting the computers of millions of Zoom users at risk. But you don’t have to worry right away, Keuper tells RTL News: “Only we, and now Zoom too, know about this leak. Zoom will have ninety days to close it, but I expect that to happen much faster.”

His advice: check carefully when an update for Zoom is available and install it as soon as possible. “Installing the latest updates is always a good measure to keep criminal hackers out.”

Keuper and Alkemade have been working on their research for about two months. The first weeks they looked closely at the program: where could the vulnerabilities all be? Once they found a potentially vulnerable part of the program, they dug deeper into it.

Expanding vulnerability

“Finding a leak is generally not a lot of work,” says Keuper. “Most of the work is in expanding the vulnerability so that you can actually take over a computer with it, and that it works every time – no matter on which computer.” That process took a month and a half.

The hackers are not allowed to say exactly how the leak works. “Zoom hasn’t closed it yet, so we can’t give details yet. But as a user you just need to have the program running on your computer. You don’t have to click on anything or install another program.”

Android and iOS

The vulnerability does not occur if you only use Zoom via the browser. Browsers are generally more secure than many other computer programs, says Keuper. Many browsers use a so-called sandbox, a kind of digital wall around the program. You don’t just break through that.

Zoom, like many other computer programs, does not yet make use of this. “In the long term, that would be a very good addition to make this type of hack more difficult.” It is unclear whether the leak is also in Zoom’s Android and iOS app. Keuper and Alkemade have not looked at that. “We expect Zoom to do that in the near future.”

The fact that leaks are discovered in Zoom does not mean that the program is immediately unsafe. “It’s mainly about how a company deals with it,” says Keuper. “Windows and MacOS roll out updates every month that plug leaks. Zoom’s participation in Pwn2Own shows that they take their security seriously.”

Two tons of prize money

Keuper and Alkemade will soon receive the prize money of 200,000 dollars, which is about 168,000 euros. They put some of this back in the research department where they work: the hackers have a free role and are allowed to investigate what they want. They can put the money to good use to finance new research to make the digital society safer.

They can spend the other part themselves. Keuper and Alkemade already have an idea: Alkemade is looking forward to the new Macbook that will be released later this year, Keuper is a fanatic kite surfer and has a few nice kites in mind.
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new
todays new

Related Posts

About The Author