Zoom Can Expose You To Cyber Attacks

Uploaded on 2022-06-13 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The video-conference platform Zoom has disclosed four new software problems and vulnerabilities that expose users to cyber attacks.

Cyber security researchers found that the vulnerabilities can be used to compromise users over the platform’s chat function. This is possible if criminal hackers send a specially crafted XMPP (Extensible Messaging and Presence Protocol) message and executing malicious code.

If the specific message is sent, an attacker could trigger clients into connecting to a man-in-the-middle server that presented a version of the Zoom client from 2019. Google Project Zero security researcher Ivan Fratric, who uncovered the problems, has said, “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.”

XMPP is the standard upon which Zoom’s chat feature is built. A cyber-attacker can pose as a regular user through exploitation of the afore-mentioned vulnerabilities. In turn, the individual can connect to a suspicious server and download an update, resulting in arbitrary code execution stemming from a downgrade attack.

Zoom, the video-conferencing platform that has become a staple for connection and communication since the onset of COVID-19 and now Zoom has acknowledged that the security vulnerabilities, ranging from 5.9 to 8.1 in severity, can be exploited to compromise chat users.

The vulnerabilities could be exploited to compromise users over chat by sending specially crafted  XMPP messages and executing malicious code.

In the Report, Fratric writes: “Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. “From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack.”

The issue at the core of these vulnerabilities is the ability of a cyber attacker to find inconsistencies between XML parsers in the software’s client and server.

When this happens, XMPP stanzas can be sent to the victim of the attack. This allows hackers to take advantage of software updates, weaponizing the process and delivering an outdated, less secure version of Zoom to prospective targets through a malicious server.

David Mahdi CISO advisor at Sectigo, commented on these forms of social hacks and offers advice on how to avoid becoming a victim: “As a form of social engineering, attacks like this can be incredibly hard to prevent, with attackers using incredibly savvy methods to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware... Attackers are now deploying a growing variety of tactics, such as supply chain attacks and social engineering, to target organizational issues inherent with hybrid work, human error, and shadow IT.
“Multi-factor authentication (MFA), when correctly deployed, can mitigate cyber-criminal attacks from using stolen credentials to access devices or networks in the case of a phishing attack.” according to Mahdi. 

Zoom:     TEISS:      Infosecurity Magazine:    IT Governance:    Wired:  Google:     Chromium:  

You Might Also Read: 

Microsoft Eliminates Cyber Attack Flaws:

 

« Critical Business Systems Left Unmonitored & Insecure
REvil Have Returned - Or Have They? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Microsoft Security

Microsoft Security

Microsoft Security helps protect people and data against cyberthreats to give you peace of mind. Safeguard your people, data, and infrastructure.

Carson & SAINT

Carson & SAINT

Carson & SAINT is an award-winning consulting firm with deep experience in cybersecurity technology, software, and management consulting.

United Biometrics

United Biometrics

United Biometrics is an anonymous and real-time authentication platform designed to stop the fraud for mobile payments, e-Commerce and applications.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

HUB Security

HUB Security

Hub Security provide Ultra Secure, Military Grade HSM (Hardware Security Module) Solutions for Blockchain and Digital Assets.

Cyber Pathways

Cyber Pathways

Cyber Pathways brings together the next generation of Cyber professionals along with delegates who are looking to cross train and enter the cyber market.

Appgate

Appgate

Appgate is the secure access company. We empower how people work and connect by providing solutions purpose-built on Zero Trust security principles.

Global Cybersecurity Institute - Rochester Institute of Technology (RIT)

Global Cybersecurity Institute - Rochester Institute of Technology (RIT)

At RIT’s Global Cybersecurity Institute, we educate and train cybersecurity professionals; develop new cybersecurity and AI-based knowledge for industry, academia, and government.

Great American Insurance Group

Great American Insurance Group

Great American's Cyber Risk Division offers cyber solutions for small and medium-sized businesses.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

LevelBlue

LevelBlue

LevelBlue simplify cybersecurity through award-winning managed security services, experienced strategic consulting, threat intelligence and renowned research.

CoinCover

CoinCover

Blockchain technology is changing everything. However, it brings its own set of unique risks. Coincover ensures everyone is protected, enabling them to innovate freely, without constraints.