An exploit for critical remote code execution vulnerability in Zoom Windows app is currently available for sale for $500,000. This flaw would allow attackers to spy on communications. The hackers also selling an exploit for another less dangerous bug affecting Zoom video conferencing platform’s macOS client, Motherboard revealed citing people with knowledge of the matter.
While sources said they have not seen the the actual code for these vulnerabilities, they “have been contacted by brokers offering them for sale”.
According to Adriel Desautels, the founder of the zero-day broker firm Netragard, these zero-days will not have a long shelf-life once threat actors start to exploit them in the wild.
One of the sources told Motherboard that the Windows zero-day is “nice, a clean RCE” and is perfect for industrial espionage. While this flaw would allow attackers to access the app, it needs to be exploited with another vulnerability to compromise the whole machine.
Also, according to one of the sources, the exploit requires the attacker to be in a call with the target, which makes it less valuable for nation-state hackers.
"I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang," one of the anonymous sources explained, adding that the asking price should be significantly lower.
According to Motherboard, the macOS exploit is less dangerous and harder to use in a real attack scenario as it is not a remote code execution flaw.
Meanwhile, Zoom said in a statement that it takes user security extremely seriously, and is currently investigating rumors about availability of the zero-day exploits.
“To date, we have not found any evidence substantiating these claims,” the company said.