New Zoom vulnerabilities allows hacking zoom meetings with GIF or sending code snippet via chat

This is a new security alert for Zoom users. Cybersecurity experts recommend verifying that the latest version of the popular video conferencing software is running on your Windows, macOS, or Linux devices, as it contains fixes for a number of critical vulnerabilities.

The Cisco Talos team of researchers revealed the finding of two critical flaws that could allow threat actors to hack zoom group session participants’ systems. These are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on systems running vulnerable versions of Zoom to execute malicious code.

Successful exploitation of these flaws would require little interaction by chat participants (they could even be exploited without victim interaction), and the attack only requires sending specially designed messages via chat in a Zoom session.

The first flaw, tracked as CVE-2020-6109, lies in the way Zoom takes advantage of the GIPHY service (which was recently acquired by Facebook), to allow its users to search and send GIFs without leaving video conferencing. Zoom does not check whether a shared GIF is being loaded from the Giphy service or not, so hackers could embed a GIF from a malicious server without users detecting anomalous behavior.

Moreover, CVE-2020-6110 is a remote code execution vulnerability that resides in how vulnerable versions of the Zoom application process snippets shared chat.

Zoom’s chat functionality is based on the XMPP standard with additional extensions to support the rich user experience. One such extension supports a function that includes source snippets that have support for highlighting the full syntax. The function for sending code snippets requires the installation of an additional add-in, but receiving them does not require this. This feature is implemented as an extension of file sharing support.

This feature creates a zip file of the shared snippet before sending it and then automatically unzips it to the recipient’s system. According to the researchers, Zoom’s zip file extraction function does not validate the contents of the zip file before extracting it, allowing hackers to plant arbitrary binaries on specific systems.

The flaws have already been fixed, so Zoom users should only verify the proper installation of the security patches.