Updated comments from Zoom

Zoom has a brand new flaw that allows hackers to completely take over your PC or Mac

Two of them are Dutch security researchers Daan Keuper and Thijs Alkemade, who yesterday (April 7) demonstrated an exploit for this security flaw as part of the biannual Pwn2Own hacking contest

Indeed, Keuper and Alkemade cascaded three different flaws (some of which may have been known for some time) to gain full remote control of a PC through the Zoom desktop application Their exploits required no user interaction other than to confirm that the Zoom application was running

This is a tweet from the Pwn2Own competition, showing an animation of the hack The sudden activation of the calculator application indicates that the researcher took control of the machine However, the animation gives no clue as to how Keuper and Alkemade pulled it off

The exploit also works with the Zoom desktop client for Macs, Malwarebytes researcher Pieter Arntz explained in a blog post However, the browser version of the Zoom meeting client is not affected

Zoom itself is a major sponsor of this year's Pwn2Own competition, and while Zoom's website does not yet mention this exploit, Zoom officials are no doubt working to fix this flaw as soon as possible rules, software developers have 90 days to fix the flaw that was revealed during the contest

For their trouble, Keuper and Alkemade received $200,000, which must be a nice supplement to their day job at Dutch cybersecurity firm Computest

As long as Keuper, Alkemade, and Zoom's security team remain tight-lipped about how this exploit works, there is little chance that hackers will use it to take over computers running Zoom

For now, if you want to play it safe, use the Zoom browser interface rather than the Zoom desktop client (When you join an online meeting, Zoom will prompt you to install a desktop app, but you can ignore it)

The Pwn2Own competition is currently run by Trend Micro's Zero Day Initiative team and has been running since 2007

White hat hackers are given genuine machines and software, all fully patched, and must demonstrate their exploits in real time in front of a live audience The winner must share their method privately with the developer of the hacked software

After this article first appeared, Zoom contacted us to say: [Thank you Zero Day Thank you to the Zero Day Initiative for sponsoring Pwn2Own Vancouver 2021 We take security very seriously and are very appreciative of Computest's research

We are working to mitigate this issue with respect to our group messaging product, Zoom Chat; in-session chats in Zoom Meetings and Zoom Video Webinars are not affected by this issue In addition, the attack must originate from an authorized external contact or be part of the same organization account as the target

As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust program, please send a detailed report to