Zoom: all it took was a message to hack your PC

More security problems for Zoom. The video conferencing platform had some flaws that would have allowed hackers to take control of the PC

That the video conferencing app Zoom has had in recent months, along with a huge success, also huge security problems we had noticed a bit 'all: in the last ninety days the news of privacy and security problems on Zoom have multiplied exponentially.

That's also why Zoom was forced to speed up its app development plans a lot in order to quickly plug all the flaws that came up. Today it turns out that a couple of these flaws would have allowed a hacker to take almost complete control of our computer with an animated gif or a simple message. And, in fact, in late May Zoom temporarily suspended the ability to share animated Gifs in chats, then fixed the bug and finally reintroduced the feature. The other vulnerability was also fixed, with version 4.6.12 of the app.

Then, starting May 30, all users had to upgrade to version 5.0 of the app to close additional security holes. But what have we been risking all these months using Zoom?

Zoom: the CVE-2020-6109 vulnerability

Both serious Zoom vulnerabilities were discovered by Cisco Talos researchers. The first one has been renamed CVE-2020-6109 and is related to the integration with GIPHY, the well-known animated Gif service recently acquired by Facebook. Researchers discovered that the Zoom app did not check whether a Gif shared in a chat was being uploaded from GIPHY's servers or from other servers. This would have allowed a malicious user to share an animated Gif from a malicious server, resulting in a computer infection.

Zoom: the CVE-2020-6110 vulnerability

The second vulnerability, called CVE-2020-6110, depended on the implementation of the Extensible Messaging and Presence Protocol (XMPP) within the Zoom app. This messaging protocol is based on XML and, as a result, allows code to be executed on the chat client. Basically, this feature creates a zipper archive of the shared code snippet and then automatically unzips the file on the recipient's computer. According to the researchers, Zoom's zipper file extraction function did not validate the content of the zipper file before extracting it, allowing the attacker to install arbitrary binaries on target computers.

Zoom: all fixed?

As of May 30, Zoom requires all its users to install version 5.0 of the client app, otherwise it is impossible to use the platform. The two vulnerabilities discovered and reported by Cisco Talos had already been fixed a few days earlier with version 4.6.12, but with 5.0 came an important new feature: end-to-end encryption. This novelty, however, is not for everyone: only paid users will be assured that their chats and video conferences will be encrypted with AES-256 GCM.