Zerodium looks to buy zero-days in Outlook and Thunderbird email clients
Catalin Cimpanu January 27, 2022

Zerodium looks to buy zero-days in Outlook and Thunderbird email clients

Zerodium looks to buy zero-days in Outlook and Thunderbird email clients

US-based exploit broker Zerodium announced plans today to pay $200,000 and $400,000 for zero-day exploits in Mozilla Thunderbird and Microsoft Outlook, respectively, two of today’s most popular and widely used desktop email clients.

The company, which buys exploits from security researchers and sells them to government and law enforcement agencies, announced its intentions earlier today via a message posted on its official Twitter account.

The exploits must be able to achieve remote code execution, allowing Zerodium’s customers to run code in a target’s email client, the company said.

Commenting on Zerodium’s announcement today, several security researchers have pointed out that a successful exploit for any of these two email clients would not only grant access to a user’s computer but also to all the email inboxes managed through the client.

Since account passwords can be exported from the client, this would also mean the entity using the exploit would also be able to subsequently access cloud-based email accounts after a successful exploit.

Zerodium did not specify on what platform the RCE exploits should work, but both email clients have clients for all three major operating systems—Windows, macOS, and Linux.

While the company operates in a somewhat rather controversial sector of the cybersecurity landscape, Zerodium’s exploits have yet to be found in attacks against activists, journalists, or politicians—unline exploits from other exploit brokers and surveillance software vendors such as Candiru, NSO Group, and Gamma Group—and is often regarded as the go-to exploit broker by many researchers.

Mozilla and Microsoft did not return requests for comment on Zerodium’s announcement.

Besides Thunderbird and Outlook zero-days, Zerodium is also running another bug acquisition drive for the WordPress CMS, today’s most popular website builder and content management system.

Prior to that, Zerodium also sought to buy exploits in the ISPConfig web hosting panel, the Pidgin XMPP instant messenger, and the ExpressVPN, NordVPN, and Surfshark VPN apps.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.