As an ever-increasing number of people turn to Zoom during the coronavirus quarantine, a new report suggests they may have more to worry about than they know.
Former NSA hacker and security researcher Patrick Wardle revealed two "zero-day exploits" inside Zoom on Wednesday. Zero-day exploit is a term used to describe security flaws that have been discovered that still don't have a fix. Hackers often seek out zero-day exploits to target users who have no defense against them.
According to Wardle, whose findings were first reported by TechCrunch, both bugs require a hacker to have access to the Zoom installation on a user's machine. That means they'll need to be physically with the computer or have the ability to control the machine remotely with a remote desktop app.
Once that happens, the first hack would pave the way for a local user without root access, or the ability to fully control the machine, the ability to add malicious code to the Zoom installer. The result? Full access to the entire computer.
If hackers want to be a bit trickier, they can also inject code into the Zoom installation on a computer and get it to request that users provide the "app" access to the computer's camera and microphone. In reality, the app is providing the hacker access to the user's camera and microphone, potentially wreaking havoc.
For its part, Zoom hasn't responded to the bug, and hasn't responded to an Inc. request for comment, but Wardle decided to share the exploits on his blog without a fix for either flaw. That may mean that the flaw could be exploited by hackers, though it's unclear whether that's happened.
Still, as Zoom continues to be the de facto choice for businesses, schools, and consumers to communicate around the world, even a hack that requires local access to the device is concerning. And it might give some folks pause as they consider which conferencing solution to use.
Worst of all, since Wardle found zero-day exploits, there's nothing Zoom users can do and no way to easily determine whether they've already been hacked. Wardle's only recommendation was to consider finding another solution.
"If you care about your security and privacy," Wardle wrote on his blog, "perhaps stop using Zoom."