Hackers are selling two serious Zoom zero-day vulnerabilities for $500,000

Both the Windows and macOS versions of Zoom have critical, unpatched security vulnerabilities that could be exploited by hackers to target users and spy on calls and meetings.

Security experts say -- despite not having seen the actual code for the exploits -- that the Windows version of Zoom is affected by an RCE (Remote Code Execution) described as being "perfect for industrial espionage". The zero-days have been offered for sale for $500,000.

See also:

• Hundreds of thousands of stolen Zoom accounts for sale on hacker forums for next to nothing
• Zoom will soon let some users choose which countries their data is routed through
• Zoom is taking steps to improve privacy and security, and to prevent Zoombombing

As reported by Vice's Motherboard, three separate sources have confirmed that the vulnerabilities are available to buy in hacking circles, and have been offered to these individual directly. News of the zero-days comes just days after it was reported that hacker forums are being used to offer Zoom user credentials for sale at incredibly low prices.

While two of Vice's sources asked to remain anonymous, Adriel Desautels from penetration testing firm Netragard told the site:

From what I've heard, there are two zero-day exploits in circulation for Zoom. One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.

The Windows RCE flaw has a $500,000 price tag attached to it; the nature of the vulnerability means it commands a high price. But while Remote Code Execution vulnerabilities are often seen as the holy grail of security flaws, some sources are down-playing the usefulness of the Windows vulnerability. One source explains that in order to exploit the flaw, a hacker would need to be in a call with a victim, meaning that it is not suitable for stealth spying.

The vulnerability in the macOS version of Zoom is said to be less serious, and is not an RCE flaw.

In a statement given to Vice, Zoom said:

Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them. To date, we have not found any evidence substantiating these claims.

Image credit: Michael Vi / Shutterstock