News, Culture & Society

Hackers home in on Zoom security to use flaws in bug bounties and sell them on the black market

Hackers are homing in on finding flaws in video conferencing service Zoom to cash in on bug bounties and even sell the exploits on the black market

  • Hackers have been probing zoom for flaws in its security
  • The exploits can be sold back to Zoom or even on the black market
  • Increased interest has been driven partly by popularity
  • A spate of flaws in the service has also turned researchers’ attention to Zoom 

Hackers are trying to cash in on a spate of security flaws with the increasingly popular video conferencing service, Zoom.

According to a report from Motherboard, hackers both ethical and not have begun trawling the service for exploits that they can sell to either government agencies or Zoom itself, both of which pay what are known as ‘bug bounties’ for disclosing gaps in their security.

In some cases, those flaws – which may compromise everything from webcam or microphone security to sensitive data like passwords, emails, or device information – are sold on the black market to other hackers looking to use them on victims.

Hackers are turning their attention to Zoom after a spate of publicly disclosed flaws in its security. Pictured, Zoom CEO Eric Yuan, seen here at the firm’s IPO in New York last April

One hacker interviewed by Motherboard who claims to have traded exploits found in Zoom on the black market said that Zoom flaws typically sell for between $5,000 to $30,000 – a relatively low sum compared to other bug that compromise web browsers like Chrome or operating systems like iOS or Android.

Other hackers interviewed by Motherboard who contract for the US Defense Department say that there hasn’t been a noticeable increase in finding Zoom flaws despite the explosion in popularity.

A source told Motherboard that contractors are still unsure if Zoom is a big enough player to warrant looking into given its relatively new position on the world stage.  

Additional interest reported by some hackers interviewed by Motherboard may be a product not just of Zoom’s popularity but of its recent track record with security. 

Zoom’s rise to prominence has been overshadowed by a slew of security issues, including revelations about data sharing practices with Facebook. 

Last month, Zoom was discovered sharing sensitive data with the social media giant, including the time the Zoom app was opened, phone carrier, device specs, location and other analytic data that can be used to target ads. 

Hackers say that flaws are found frequently in the service but don't sell for particularly high figures compared to other exploits (stock)

Hackers say that flaws are found frequently in the service but don’t sell for particularly high figures compared to other exploits (stock)

According to a recent blog post from the company’s Yuan, Zoom was ‘made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services’ and has subsequently changed the app’s code.

Other flaws discovered in Zoom also compromise the privacy of one’s webcam, allowing hackers to tap into video and audio feeds and another issue that allows hackers to steal passwords on Windows devices.