Zoom Flaw Could Let Hacker Hack Systems Via Chats

Cybersecurity researchers have found two critical vulnerabilities in Zoom that could let hackers hack into the systems of group chat participants or an individual recipient remotely.

Both the vulnerabilities discovered are of path transversal vulnerability and can be exploited to inject arbitrary files on the systems that are running vulnerable versions of the Zoom app to execute the malicious code in the victim’s device.

The researchers said that for successful exploitation of both the vulnerabilities, it requires very less or no interaction from chat feature in individual or a group chat. The vulnerability can be exploited by sending specially crafted messages in the chat feature.

The vulnerability can be tracked as CVE-2020-6109the vulnerability resides in the Zoom leverages GIPHY service, which lets its users search and exchange GIFs during chatting.

Also, Zoom app doesn’t verify whether the GIFs is sent through GIPHY service or from third party source that could allow an attacker to send malicious GIFs.

Besides this, since Zoom doesn’t sanitize the filenames it could also allow an attacker to achieve directory traversal and could also save malicious files embedded in GIFs on the specified location. Ex: Windows Startup folder.

A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required

The researcher said

Another vulnerability can be tracked as CVE-2020-6110 and was a remote code execution type vulnerability that could let attackers execute remote code, and the vulnerability resides in the Zoom application process code snippets shared through the chat.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × one =

Do NOT follow this link or you will be banned from the site!