Zerodium looks to buy zero-days in Outlook and Thunderbird email clients
US-based exploit broker Zerodium announced plans today to pay $200,000 and $400,000 for zero-day exploits in Mozilla Thunderbird and Microsoft Outlook, respectively, two of today’s most popular and widely used desktop email clients.
The company, which buys exploits from security researchers and sells them to government and law enforcement agencies, announced its intentions earlier today via a message posted on its official Twitter account.
The exploits must be able to achieve remote code execution, allowing Zerodium’s customers to run code in a target’s email client, the company said.
Commenting on Zerodium’s announcement today, several security researchers have pointed out that a successful exploit for any of these two email clients would not only grant access to a user’s computer but also to all the email inboxes managed through the client.
Since account passwords can be exported from the client, this would also mean the entity using the exploit would also be able to subsequently access cloud-based email accounts after a successful exploit.
Zerodium did not specify on what platform the RCE exploits should work, but both email clients have clients for all three major operating systems—Windows, macOS, and Linux.
While the company operates in a somewhat rather controversial sector of the cybersecurity landscape, Zerodium’s exploits have yet to be found in attacks against activists, journalists, or politicians—unline exploits from other exploit brokers and surveillance software vendors such as Candiru, NSO Group, and Gamma Group—and is often regarded as the go-to exploit broker by many researchers.
Mozilla and Microsoft did not return requests for comment on Zerodium’s announcement.
Besides Thunderbird and Outlook zero-days, Zerodium is also running another bug acquisition drive for the WordPress CMS, today’s most popular website builder and content management system.