Pwn2Own is a yearly competition where security researchers can gather and find vulnerabilities in popular software used around the world.
Pwn2Own competitions start with a large selection of software such as internet browsers like Google Chrome and Firefox.
Past events have also included hardware such as IoT devices and even a Tesla. In true to the competitions name, a security researcher is able to find a severe vulnerability is a device, you can keep the device.
In 2019 a team of two was able to take control of a Tesla Model 3 but exploiting a bug in the car’s entertainment system. Keeping the promise, the team was allowed to keep the Tesla and they were rewarded an additional $35,000.
For this year’s competition a very well-known program was on the chopping block, Zoom. Zoom has exploded in popularity over the last year due to Covid-19 with everyone working from home. Countless schools, businesses and even governments used Zoom on a regular basis to conduct meetings and classes.
The two-person team that found this exploit was Daan Keuper and Thijs Alkemade. The exploit uses three vulnerabilities in tandem to get full control over the victim’s computer.
The exploit used was a “zero-click” exploit, meaning that the victim did not need to interact with the system to get infected. There are no files to be tricked into be downloading, all the victim needed is a Zoom account to be hacked.
What the victim would see when they are hit with the exploit was a meeting invitation from the attacker but the victim did not need to accept the invite, they were already infected.
In a statement to SecurityWeek, Zoom gave the following statement in regards to the exploit:
“We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.”
Daan Keuper and Thijs Alkemade were awarded $200,000 for finding this exploit.