The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Video Conferencing Software

Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28

Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28

August 10, 2020Ravie Lakshmanan
Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. According to cybersecurity researcher Mazin Ahmed , who presented his findings at DEF CON 2020 yesterday, the company also left a misconfigured development instance exposed that wasn't updated since September 2019, indicating the server could be susceptible to flaws that were left unpatched. After Ahmed privately reported the issues to Zoom in April and subsequently in July, the company issued a fix on August 3 (version 5.2.4). It's worth noting that for some of these attacks to happen, an attacker would need to have already compromised the victim's device by other means. But that doesn't take away the significance of the flaws. In one scenario, Ahmed uncov
Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes

Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes

July 30, 2020Ravie Lakshmanan
Popular video conferencing app Zoom recently fixed a new security flaw that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants. Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue , the lack of rate limiting enabled "an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private (password protected) Zoom meetings." It's worth noting that Zoom began requiring a passcode for all meetings back in April as a preventive measure to combat Zoom-bombing attacks, which refers to the act of disrupting and hijacking Zoom meetings uninvited to share obscene and racist content. Anthony reported the security issue to the company on April 1, 2020, along with a Python-based proof-of-concept script, a week after which Zoom patched the flaw
A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

July 16, 2020Swati Khandelwal
In a report shared with The Hacker News, researchers at cybersecurity firm CheckPoint today disclosed details of a minor but easy-to-exploit flaw they reported in Zoom, the highly popular and widely used video conferencing software. The latest Zoom flaw could have allowed attackers mimic an organization, tricking its employees or business partners into revealing personal or other confidential information using social engineering tricks. We know, social engineering attacks may sound a bit boring, but someone used the same to put Twitter on fire just last night when hundreds of high-profile Twitter accounts were hacked to promote a cryptocurrency scam, all thanks to an employee's compromised internal tooling account. The said vulnerability resides in Zoom's customizable URL feature dubbed Vanity URL, aiming to let companies create a custom URL on its subdomain and branded landing page, such as " yourcompany.zoom.us, " where the invitation link to a meeting then
Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 or Earlier

Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 or Earlier

July 10, 2020Swati Khandelwal
A zero-day vulnerability has been discovered in Zoom video conferencing software for Windows that could allow an attacker to execute arbitrary code on a victim's computer running Microsoft Windows 7 or older. To successfully exploit the zoom vulnerability, all an attacker needs to do is tricking a Zoom user into performing some typical action like opening a received document file. No security warning is triggered or shown to the user at the time of the attack. The vulnerability has been discovered by a researcher who reported it to Acros Security, who then reported the flaw to the Zoom security team earlier today. The researcher wishes to remain anonymous. Although the flaw is present in all supported versions of the Zoom client for Windows, it is only exploitable on systems running Windows 7 and older Windows systems due to some specific system characteristics. "This vulnerability is only exploitable on Windows 7 and earlier Windows versions. It is likely also explo
Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat

Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat

June 03, 2020Mohit Kumar
If you're using Zoom —especially during this challenging time to cope with your schooling, business, or social engagement—make sure you are running the latest version of the widely popular video conferencing software on your Windows, macOS, or Linux computers. No, it's not about the arrival of the most-awaited "real" end-to-end encryption feature, which apparently, according to the latest news, would now only be available to paid users . Instead, this latest warning is about two newly discovered critical vulnerabilities. Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. Both flaws in question are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on the systems running vulnerable versions of the video conferencing software to e
How An Image Could've Let Attackers Hack Microsoft Teams Accounts

How An Image Could've Let Attackers Hack Microsoft Teams Accounts

April 27, 2020Ravie Lakshmanan
Microsoft has patched a worm-like vulnerability in its Teams workplace video chat and collaboration platform that could have allowed attackers to take over an organization's entire roster of Teams accounts just by sending participants a malicious link to an innocent-looking image. The flaw, impacting both desktop and web versions of the app, was discovered by cybersecurity researchers at CyberArk. After the findings were responsibly disclosed on March 23, Microsoft patched the vulnerability in an update released on April 20. "Even if an attacker doesn't gather much information from a Teams' account, they could still use the account to traverse throughout an organization (just like a worm)," CyberArk's Omer Tsarfati said. "Eventually, the attacker could access all the data from your organization's Teams accounts — gathering confidential information, meetings and calendar information, competitive data, secrets, passwords, private information,
Zoom Caught in Cybersecurity Debate — Here's Everything You Need To Know

Zoom Caught in Cybersecurity Debate — Here's Everything You Need To Know

April 06, 2020Ravie Lakshmanan
Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal. The app has skyrocketed to 200 million daily users from an average of 10 million in December — along with a 535 percent increase in daily traffic to its download page in the last month — but it's also seen a massive uptick in Zoom's problems, all of which stem from sloppy design practices and security implementations. Zoom may never have designed its product beyond enterprise chat initially, but with the app now being used in a myriad number of ways and by regular consumers, the company's full scope of gaffes have come into sharp focus — something it was able to avoid all this time. But if this public scrutiny can make it a more secure product, it can only be a good thing in the long run. A Laundry
New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

April 02, 2020Wang Wei
Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic overnight made it one of the most favorite communication tool for millions of people around the globe. No doubt, Zoom is an efficient online video meeting solution that's helping people stay socially connected during these unprecedented times, but it's still not the best choice for everyone—especially those who really care about their privacy and security. According to cybersecurity expert @_g0dmode , the Zoom video conferencing software for Windows is vulnerable to a classic ' UNC path injection ' vulnerability that could allow remote attackers to steal victims' Windows login credentials and even execute arbitrary commands on their systems. Such attacks are possible because Zoom for Windows supports remote UNC paths that convert potentially insecure URIs into hyperlinks when received via chat messages to a recipient in a
COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

COVID-19: Hackers Begin Exploiting Zoom's Overnight Success to Spread Malware

March 30, 2020Ravie Lakshmanan
As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone. "We see a sharp rise in the number of 'Zoom' domains being registered, especially in the last week," said Omer Dembinsky, Manager of Cyber Research at Check Point . "The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure,
Zoom Bug Could Have Let Uninvited People Join Private Meetings

Zoom Bug Could Have Let Uninvited People Join Private Meetings

January 28, 2020Swati Khandelwal
If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms. Zoom generates this random meeting ID, comprised of 9, 10, and 11-digit numbers, for each meeting you schedule or create. If leaked beyond an individual or intended group of people, merely knowing Meeting IDs could allow unwelcome guests joining meetings or webinars. This could be bad news for anyone expecting their conversations to be private. To circumvent suc
Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu

Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu

July 16, 2019Swati Khandelwal
The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software. Security researchers confirmed The Hacker News that RingCentral, used by over 350,000 businesses, and Zhumu, a Chinese version of Zoom, also runs a hidden local web server on users' computers, just like Zoom for macOS. The controversial local web server that has been designed to offer an automatic click-to-join feature was found vulnerable to remote command injection attacks through 3rd-party websites. Security researcher Jonathan Leitschuh initially provided a proof-of-concept demonstrating how the vulnerable web server  could eventually allow attackers to turn on users laptop's webcam and microphone remotely. The flaw was later escalated to remote code execution attack by another security researcher, Karan Lyons , who has now published a new v
Zoom Video Conferencing for macOS Also Vulnerable to Critical RCE Flaw

Zoom Video Conferencing for macOS Also Vulnerable to Critical RCE Flaw

July 13, 2019Mohit Kumar
The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet. As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple's Mac computer remotely. Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page. As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability ( CVE-2019-13450 ) that resides in the way its click-to-join feature is implemented, which automatically turns on users' webcam when they visit an in
Flaw in Zoom Video Conferencing Software Lets Websites Hijack Mac Webcams

Flaw in Zoom Video Conferencing Software Lets Websites Hijack Mac Webcams

July 08, 2019Swati Khandelwal
If you use Zoom video conferencing software on your Mac computer—then beware—any website you're visiting in your web browser can turn on your device camera without your permission. Ironically, even if you had ever installed the Zoom client on your device and simply uninstalled it, a remote attacker can still activate your webcam. Zoom is one of the most popular cloud-based meeting platforms that provide video, audio, and screen sharing options to users, allowing them to host webinars, teach online courses, conduct online training, or join virtual meetings online. In a Medium post published today, cybersecurity researcher Jonathan Leitschuh disclosed details of an unpatched critical security vulnerability (CVE-2019-13450) in the Zoom client app for Apple Mac computers, which if combined with a separate flaw, could allow attackers to execute arbitrary code on the targeted systems remotely. Jonathan responsibly reported the security vulnerability to the affected company ov
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.