Many hacks are required the victim to be the wrong link or to open the wrong connection. But as the so-called Zero-click losses-how the target does nothing – and they take advantage of the situation, Natalie Silvanovich of Google’s Project Zero bug-hunting team has tried to find new models and fix them before using them. His list now includes Zoom, which until recently had two dangerous, unrelated errors that hid inside.
Even if it were fixed here, these two threats would have been solved without the user’s interference or disruption of the Zoom server that runs the connections of many users including those who were previously affected. Zoom users have the option to turn off the encryption-end of their phones on the platform, which may prevent the attacker from monitoring their connection. But the hacker could still take advantage of phone calls that users did not allow for security.
“The job took me several months, and I didn’t get there in the case of a complete attack, so I think this could be available to those who pay a lot of money,” says Silvanovich. “But I wouldn’t be surprised if this is what the attackers want to do.”
Silvanovich has detected zero-click flaws and other errors on several connected platforms, including Facebook Messenger, Signal, Apple’s FaceTime, Google Duo, and Apple iMessage. He said he had not thought much about reviewing Zoom because the company has added a lot of pop-up notifications and other security over the years to ensure users do not participate intentionally. But he says he was inspired to explore the platform after two investigators displayed Zoom zero clicks a threat to the 2021 Pwn2Own robbery competition in April.
Silvanovich, who disclosed his findings at Zoom in early October, says the company was very responsive and supportive of his work. Zoom fixed the server side error and released updates on user devices on December 1. The company has released a security document and told WIRED that users should download the latest version of Zoom.
Most video conferencing services are gradually based on open standards, says Silvanovich, which makes it easier for security investigators to monitor. But Apple’s FaceTime and Zoom both have their own owners, which makes it difficult to monitor how they work internally and find errors.
“The obstacle to doing this research on Zoom was huge,” he says. But I did get big bugs, and sometimes I wondered if it was one of the reasons I found them and some didn’t even have a big barrier to entry.
You can join Zoom phones by receiving a conference call and clicking. But Silvanovich realized that Zoom also offers a larger platform where people can agree to be “Zoom Contacts” and then text or call each other via Zoom how to call or text someone else’s phone number. The two threats that Silvanovich discovered can be used only if the two accounts have their Zoom Contacts. This means that the main perpetrators of this violence may be people who use Zoom, individually or through their organizations, and are used to communicate with Zoom Contacts.
Source link
