Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard has learned.

The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.

Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars.

Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic.

“From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows,” said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. “I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

Two other independent sources, who asked to remain anonymous to discuss sensitive topics, confirmed the existence of these two exploits on the market.

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.”

Do you work in exploit development or trade zero-days? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Remote Code Execution exploits are the most sought after bugs, as they allow hackers to break in without having to rely on the target falling for a phishing attack, for example. These attacks allow hackers to execute code on the target’s computer, hence the name. Generally speaking, an RCE exploit allows hackers to access the target’s whole machine, not just the app they are attacking.

The zero-day for Zoom on Windows would allow hackers to access the app, but would need to be coupled with another bug to access the whole machine. The MacOS one is not an RCE, according to the two anonymous sources.

The asking price for the zero-day for the Zoom Windows app is $500,000, according to one of the sources, who deals with the procurement of exploits but has decided not to purchase this one.

The source said the exploit requires the hacker to be in a call with the target, making it less valuable for a government spy agency that aims to be stealthy and doesn’t want to get caught.

“I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang,” said the source, who estimated the exploit to be worth around half the asking price.

The MacOS bug is not an RCE, making it less dangerous and harder to use in a real hack, according to the two anonymous sources.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement. “To date, we have not found any evidence substantiating these claims.”

Despite these issues, for the vast majority of people who are using Zoom to catch up with friends and family, it’s totally OK to use the software, as Motherboard’s editor-in-chief Jason Koebler explained recently. All software has bugs and flaws, Zoom is no different. And in Zoom’s defense, the company has responded quickly to the recently reported security and privacy issues, and has recently announced a large investment to improve the security of its products.

This story has been updated to clarify that the FBI issued a warning about Zoom hijackings, and did not warn against using it.