News

Pwn2Own ended 2021: Windows 10, Ubuntu, Safari, Chrome and Zoom were hacked

The spring Pwn2Own 2021, the largest hacker competition, has ended. This time it all ended in a three-way draw between Team Devcore and OV, as well as the duo of cybersecurity experts Daan Keuper and Thijs Alkemade from Computest.

All three teams finished the competition with 20 points each. In total, in three days, Pwn2Own members earned $1,210,000. Detailed results can be found on the Trend Micro Zero Day Initiative (ZDI) blog.

Under normal circumstances, the event is held as part of the CanSecWest conference in Canada, but due to the coronavirus pandemic this year, Pwn2Own was held online again, like the spring and fall Pwn2Own last year. To this end, the organizers published a list of suitable targets back in January, and several teams applied for participation, planning a total of 23 hacks for ten different products from the list.

“The teams had 15 minutes to launch the exploit and remotely execute the code inside the target application. For each exploit that worked, participants received a cash prize from the sponsors of the competition and points for the tournament table”, — the organizers say.

Spring Pwn2Own 2021, as usual, lasted three days. As a result of the competition, Windows 10, Ubuntu, Safari, Chrome, Zoom, Microsoft Exchange, Microsoft Teams and Parallels Desktop were successfully compromised. Interestingly, none of this year’s entrants attempted to hack into the Tesla Model 3 car provided in the competition. The last time a car was hacked in 2019.

Cybersecurity experts unambiguously recognized the Zoom hack as the most impressive and dangerous compromise of this year, which does not require user interaction, asdemonstrated by Daan Köper and Tiis Alkemade of Computest. This exploit earned the experts $200,000.

The exploit is known to combine three vulnerabilities at once and works on the latest versions of Windows 10 and Zoom. In the researchers’ demo, the victim simply received an invitation to a meeting from the attacker and didn’t even need to click anywhere: the malicious code was executed automatically. Since the vulnerabilities have not yet been fixed, the technical details of the attack are still kept secret, but you can see what it looked like by this link.

The attack works against Windows and Mac versions of Zoom, but has not yet been tested on iOS or Android. Zoom developers have already told the media that they are working on fixing the problem and thanked the experts for their work.

“We take security very seriously and appreciate Computest’s research. We are working to resolve this issue in Zoom Chat, our group messaging product. This issue does not affect in-session chat in Zoom Meetings and Zoom Video Webinars. In addition, the attack must come from an accepted external contact or be part of the account of the same organization. Zoom recommends that users only accept requests to add to contacts from people they know and trust,” the developers say.

Let me remind you about the previous competition, Hacking competition Pwn2Own Tokyo, when were hacked NAS, routers and TVs.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Adblockelite.xyz pop-up ads (Virus Removal Guide)

Adblockelite.xyz is a site that tries to trick you into subscribing to its browser notifications…

5 hours ago

Remove Appcloud-center pop-up ads (Virus Removal Guide)

Appcloud-center.com is a site that tries to trick you into subscribing to its browser notifications…

5 hours ago

Remove Groopheetex pop-up ads (Virus Removal Guide)

Groopheetex.com is a site that tries to force you into clik to its browser notifications…

5 hours ago

Remove Vidstreambox pop-up ads (Virus Removal Guide)

Vidstreambox.com is a domain that tries to force you into clik to its browser notifications…

5 hours ago

Remove Mac-uptodate pop-up ads (Virus Removal Guide)

Mac-uptodate.com is a domain that tries to trick you into clik to its browser notifications…

5 hours ago

Remove Taffetlervers pop-up ads (Virus Removal Guide)

Taffetlervers.com is a site that tries to trick you into clik to its browser notifications…

5 hours ago