Zoom zero-day exploits being sold online for $500,000, report

The reported vulnerabilities impact Zoom clients for MacOS and Windows, Zoom refutes the claim

Hackers are selling two zero-day exploits for the video conferencing software Zoom, which could allow people to spy on users' private calls and take control of their device.

That's according to a report by Motherboard, which claims that the two vulnerabilities impact Zoom clients for the MacOS and Windows operating systems and are classified as zero-days, meaning that the company is currently unaware of their existence.

Three people familiar with the zero-days market told Motherboard that they were recently contacted by brokers, who offered them Zoom exploits for sale.

It is worth noting here that Motherboard's sources have not reviewed the code for zero-days, and their opinions are based on what hackers claim to have for sale.

The bug present in Zoom's Windows client lets hackers run arbitrary code on the target device remotely. In order to exploit the bug, an attacker would need to join the same video conference as the target. Moreover, hackers would need to couple this exploit with another exploit before they can have access to the whole machine. Hackers are asking $500,000 for this zero-day exploit code.

The bug that exists in Zoom's MacOS client is not a remote code execution (RCE) bug, according to Motherboard's report, and can be executed only after having local access to the target device.

This flaw is much harder to use in a real hack, Motherboard's sources say.

In a statement, Zoom said that it had yet to find any evidence in support of the claims made by the publication. The company also revealed that it was working with an "industry-leading security firm" to investigate those claims.

The popularity of Zoom software has soared to new heights amid on-going coronavirus crisis, as millions of people are currently forced to work from home.

But, the sudden rise in Zoom's popularity has also resulted in an increased attention on the company's security practices.

Earlier this month, a Zoom user filed a class-action lawsuit against the company in the federal court in San Jose, California, accusing the company of disclosing users' data to Facebook without receiving prior consent from users.

A security researcher then discovered two bugs in Zoom's Mac client that could allow an attacker to access the microphone and webcam on user's device.

A large number of Zoom users also complained of 'zoombombing' phenomenon, in which uninvited guests were able to join video conferences, just to make racist remarks, share pornography or shout abuse.

Taking note of all those issues, Zoom announced that it was pausing the development of new features for its video-conferencing app and would focus more on security and privacy issues impacting the app.

"I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform," Eric Yuan, the founder and CEO of the company, said in a blog post.

"Our chief concern, now and always, is making users happy and ensuring that the safety, privacy, and security of our platform is worthy of the trust you all have put in us."