Microsoft Teams And Zoom Hacked In $1 Million Competition

Both Microsoft Teams and Zoom have been exposed as vulnerable by benevolent hackers taking part in the annual Pwn2Own competition. The hacks, which won the contestants a joint $400,000 in a competition that’s now doled out more than $1 million in prizes, show it’s possible to target the hugely popular videoconferencing tools to take control of a users’ PC.

The Zoom attack was particularly noteworthy as the ZDI Initiative said it didn’t require the victim to click on anything, though Zoom said that the attacker had to be accepted as an external contact or be under the target’s same organizational account for the hack to work. Ultimately, it could’ve allowed the hackers to write their own software onto the target computer. If they were malevolent hackers, that could’ve been malware for snooping on a system, but they simply launched a calculator (a classic proof of a successful attack). The exploit was the work of Daan Keuper and Thijs Alkemade from Computest, a Netherlands-based security testing company, who “used a three bug chain to exploit Zoom messenger and get code execution on the target system – all without the target clicking anything,” the ZDI Initiative, a Trend Micro organization that runs Pwn2Own, said in a blog post.

According to ZDI, a hacker going by the name of OV won $200,000 when they “combined a pair of bugs to demonstrate code execution on Microsoft Teams.” Multiple other Microsoft technologies were also hacked as part of the competition, including Windows 10 and Exchange. The so-called DEVCORE team found an authentication bypass bug and a flaw that allowed them take complete control over an Exchange server. Given the recent spate of attacks on tens of thousands of Exchange servers, allegedly carried out by China, there’s increased urgency to ensure the security of the Microsoft email tech.

Details will not emerge until after the vulnerabilities are patched. A Microsoft spokesperson said: “Vulnerabilities reported as part of the Pwn2Own contest are disclosed responsibly and confidentially. We review all reports and will take appropriate action as needed to help keep customers protected.”

A Zoom spokesperson said: “On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat, our group messaging product. This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues.”

The ZDI Initiative said that it hit a record of more than $1 million in prizes for this year’s Pwn2Own competition. The final day of the contest on Thursday will see more attempts to exploit weaknesses in Exchange, Windows 10, the Ubuntu operating system and the Parallels virtual desktop software.

Source link