Mazin Ahmed, a researcher who presented at DEF CON 28, recently demonstrated some of the bugs/vulnerabilities that he found and reported to Zoom between April and July 2020. While several of these flaws require initial access to systems, the flaws themselves are still fairly significant.
With local access to a victim’s machine, Ahmed demonstrated that malware can use Zoom to launch untrusted applications, or the attacker can exfiltrate Zoom user data and even plaintext chat messages stored on the system. Additionally, malware can inject custom certificate fingerprints into the local Zoom database. Zoom issued a fix for these vulnerabilities and more on August 3rd, 2020.