Both Microsoft Teams and Zoom have been exposed as vulnerable by benevolent hackers taking part in the annual Pwn2Own competition. The hacks, which won the contestants a joint $400,000 in a competition that’s now doled out more than $1 million in prizes, show it’s possible to target the hugely popular videoconferencing tools to take control of a users’ PC.
The Zoom attack was particularly noteworthy as it didn’t require the victim to click on anything and allowed the hackers to write their own software onto the target computer. If they were malevolent hackers, that could’ve been malware for snooping on a system, but they simply launched a calculator (a classic proof of a successful attack). The exploit was the work of Daan Keuper and Thijs Alkemade from Computest, a Netherlands-based security testing company, who “used a three bug chain to exploit Zoom messenger and get code execution on the target system – all without the target clicking anything,” the ZDI Initiative, which runs Pwn2Own, said in a blog post.
According to ZDI, a hacker going by the name of OV won $200,000 when they “combined a pair of bugs to demonstrate code execution on Microsoft Teams.” Multiple other Microsoft technologies were also hacked as part of the competition, including Windows 10 and Exchange. The so-called DEVCORE team found an authentication bypass bug and a flaw that allowed them take complete control over an Exchange server. Given the recent spate of attacks on tens of thousands of Exchange servers, allegedly carried out by China, there’s increased urgency to ensure the security of the Microsoft email tech.
Details will not emerge until after the vulnerabilities are patched. Neither Microsoft nor Zoom had responded to requests until after publication, though it’s almost certain they’re now working on fixes, given contestants have to disclose the vulnerabilities they found to the vendors.
The ZDI Initiative said that it hit a record of more than $1 million in prizes for this year’s Pwn2Own competition. The final day of the contest on Thursday will see more attempts to exploit weaknesses in Exchange, Windows 10, the Ubuntu operating system and the Parallels virtual desktop software.