Updated comments from Zoom.

Zoom has a brand new flaw that allows hackers to completely take over your PC or Mac.

Two of them are Dutch security researchers Daan Keuper and Thijs Alkemade, who yesterday (April 7) demonstrated an exploit for this security flaw as part of the biannual Pwn2Own hacking contest.

Indeed, Keuper and Alkemade cascaded three different flaws (some of which may have been known for some time) to gain full remote control of a PC through the Zoom desktop application. Their exploits required no user interaction other than to confirm that the Zoom application was running.

This is a tweet from the Pwn2Own competition, showing an animation of the hack. The sudden activation of the calculator application indicates that the researcher took control of the machine. However, the animation gives no clue as to how Keuper and Alkemade pulled it off.

The exploit also works with the Zoom desktop client for Macs, Malwarebytes researcher Pieter Arntz explained in a blog post. However, the browser version of the Zoom meeting client is not affected.

Zoom itself is a major sponsor of this year's Pwn2Own competition, and while Zoom's website does not yet mention this exploit, Zoom officials are no doubt working to fix this flaw as soon as possible. rules, software developers have 90 days to fix the flaw that was revealed during the contest.

For their trouble, Keuper and Alkemade received $200,000, which must be a nice supplement to their day job at Dutch cybersecurity firm Computest.

As long as Keuper, Alkemade, and Zoom's security team remain tight-lipped about how this exploit works, there is little chance that hackers will use it to take over computers running Zoom.

For now, if you want to play it safe, use the Zoom browser interface rather than the Zoom desktop client. (When you join an online meeting, Zoom will prompt you to install a desktop app, but you can ignore it.)

The Pwn2Own competition is currently run by Trend Micro's Zero Day Initiative team and has been running since 2007.

White hat hackers are given genuine machines and software, all fully patched, and must demonstrate their exploits in real time in front of a live audience. The winner must share their method privately with the developer of the hacked software.

After this article first appeared, Zoom contacted us to say: [Thank you Zero Day Thank you to the Zero Day Initiative for sponsoring Pwn2Own Vancouver 2021. We take security very seriously and are very appreciative of Computest's research.

We are working to mitigate this issue with respect to our group messaging product, Zoom Chat; in-session chats in Zoom Meetings and Zoom Video Webinars are not affected by this issue. In addition, the attack must originate from an authorized external contact or be part of the same organization account as the target.

As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. program, please send a detailed report to.