Hackers exploit a new vulnerability in the popular Zoom video conferencing application, which allows them to record live meeting sessions and audio conversations.
The critical malware vulnerability discovered by Morphisec computer security researchers allows hackers to voluntarily record Zoom sessions and record chat text without any knowledge or permission from the meeting participants.
Even worse, Zoom vulnerability can do this even if the host has disabled the sign-up option.
“A trigger (evasion detection) is a malicious program that injects its code into the Zoom process without any interaction with the user, even if the host did not allow the participant to write. With such a recording, none of the participants is informed that the session is being recorded, and the malware fully controls the exit, ”wrote Morphisec researcher Daniel Petrillo in his blog article.
This vulnerability opens up the possibility for hackers to spy on Zoom sessions, as more than 500,000 accounts are already available for purchase on the Dark Web.
“In addition, Zoom is typically a trusted application; turning this into an information thief in this way acts as a way to avoid detecting and circumventing prevention, ”added Petrillo.
Petrillo in the video demonstrated how this Zoom malware occurs during a Zoom session between a victim and an attacker. According to him, the vulnerability works on the latest Zoom version with antivirus software, and all its security features are activated.
Petrillo noted that Morphisec reported a Zoom vulnerability. On Wednesday, Zoom released the new Zoom 5.0 update with new security features and enhancements to address some of its biggest privacy and security concerns. However, it is not clear whether the Zoom 5.0 update fixed the flaw or not.