Sign In

Communications of the ACM

ACM TechNews

Zoom Used In Smuggled Code Attack

View as: Print Mobile App Share:
worker at laptop computer in a Zoom meeting

A Google security researcher sent a smuggled stanza within a legitimate message.

Credit: Getty Images

Google Project Zero security researcher Ivan Fratric launched a remote code execution attack by exploiting the technology underlying Zoom and other applications.

Fratric's exploit targets bugs in XMPP, an XML-based instant messaging-like protocol. The method involves embedding pieces of XMPP code, or stanzas, within other XMPP stanzas. The attacker is then able to use a client to smuggle stanzas within legitimate messages, which are accepted and passed on by the intermediate server but interpreted as two stanzas by the victim's IM client.

Fratric alerted Zoom, which has issued patches, but Fratric warned that other targets also are vulnerable to XMPP bugs.

From PC Magazine
View Full Article


Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account