“‘Zero-Click’ Zoom Vulnerabilities Could Have Exposed Calls”
WIRED, January 18, 2022
By Lily Hay Newman
“The flaws are now fixed, but they speak to the growing concerns around interactionless attacks.”
Most hacks require the victim to click on the wrong link or open the wrong attachment. But as so-called zero-click vulnerabilities—in which the target does nothing at all—are exploited more and more, Natalie Silvanovich of Google’s Project Zero bug-hunting team has worked to find new examples and get them fixed before attackers can use them. Her list now includes Zoom, which until recently had two alarming, interactionless flaws lurking inside.
Though fixed now, the two vulnerabilities could have been exploited without any user involvement to take over a victim’s device or even compromise a Zoom server that processes many users’ communications in addition to those of the original victim. Zoom users have the option to turn on end-to-end encryption for their calls on the platform, which would keep an attacker with that server access from surveilling their communications. But a hacker could still have used the access to intercept calls in which users didn’t enable that protection.
“This project took me months, and I didn’t even get all the way there in terms of carrying out the full attack, so I think this would only be available to very well-funded attackers,” Silvanovich says. “But I wouldn’t be surprised if this is something that attackers are trying to do.”
Silvanovich has found zero-click vulnerabilities and other flaws in a number of communication platforms, including Facebook Messenger, Signal, Apple’s FaceTime, Google Duo, and Apple’s iMessage. She says she had never given much thought to evaluating Zoom because the company has added so many pop-up notifications and other protections over the years to ensure users aren’t unintentionally joining calls. But she says she was inspired to investigate the platform after a pair of researchers demonstrated a Zoom zero-click vulnerability at the 2021 Pwn2Own hacking competition in April.
Silvanovich, who originally disclosed her findings to Zoom at the beginning of October, says the company was extremely responsive and supportive of her work. Zoom fixed the server-side flaw and released updates for users’ devices on November 24. The company has released a security bulletin and told WIRED that users should download the latest version of Zoom.
The two vulnerabilities Silvanovich found could only be exploited for interactionless attacks when two accounts have each other in their Zoom Contacts.
About the Author:
Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally her work has appeared in Gizmodo, Fast Company, IEEE Spectrum, and Popular Mechanics. She lives in New York City.
- “Project Zero: Zooming in on Zero-click Exploits” – News and updates from the Project Zero team at Google, January 18, 2022