Hacking the pandemic’s most popular software: Zoom
In April 2021, Daan Keuper and Thijs Alkemade won the Pwn2Own hacking competition in the category Enterprise Communications. They won a cash prize of 200,000 dollars (168,000 euros). How? They disclosed a vulnerability in Zoom!
Keuper and Alkemade chained together three different flaws — so called zero-day vulnerabilities — to gain complete remote control of a PC through the Zoom desktop application. Their exploit required no user interaction other than making sure the Zoom app was running.
In this talk Keuper and/or Alkemade outline the process leading up to their discovery and what happened next. What did Zoom do?
Track: Security
Level: This depends on if Zoom has fixed the vulnerabilities at the time of this talk. If Zoom has not yet fixed the vulnerabilities, we cannot share any details about our methods (as each client is still vulnerable). In this case the talk will be more about the impact etc and can be classified as a beginner talk. If Zoom has fixed all vulnerabilities, we have permission to talk about the actual findings and our exploit chain. In this case the talk will be aimed at experts.
On-demand video: Yes
The talk can be viewed 14 days (after June 5, 2021) for logged visitors on the platform.
|
Daan is a security researcher at Computest. He started out doing regular pentests and currently is responsible for the Research Department Sector 7. In April 2021, Daan and his colleague Thijs Alkemade won the international hack contest Pwn2Own, when they used a three-bug chain to exploit Zoom messenger and get code execution on the target system - all without the target clicking anything. |
