With a few fraudulent tricks combined with taking advantage of vulnerabilities in the system, bad guys can control a person’s Zalo account, if they can be tricked into believing and clicking on strange links.
In August 2021, on the hacker forum Raid*****, an account named ilovevng posted content offering a 0-day (Zero day) vulnerability to help take control of accounts. Zalo Chat or Zalo Pay account.
The person who posted the information said, to do this, they just need to send a link to the victim through the Zalo application. If the victim clicks on that link, their account will be easily controlled.
“This vulnerability doesn’t leave any traces, doesn’t warn… The victim can be anyone you want,” the hacker said.
Those who want to share how to take control of their Zalo account will have to pay the hacker in cryptocurrency. As of now, this post is still live on the Raid***** forum. Photo: Trong Dat |
In a move to expose the tricks of hackers, recently, VinCSS Cyber Security Service Company has announced how the culprit of the above case did it.
Accordingly, VinCSS’s Threat Hunt team has discovered a number of security weaknesses that allow bad guys to form an exploit chain to take control of users’ Zalo and ZaloPay accounts.
A special feature of the exploit chain is that the bad guy can take control of any Zalo account by luring the victim to click on a sophisticated concealed link. When successfully accessing the account, the Zalo application on the victim’s phone will not appear any warning about a new login session.
Specifically, in the process of using Zalo, VinCSS discovered that the “Login via Zalo application” feature exists an Open Redirection vulnerability, allowing to change the address to receive tokens from the application.
![]() |
VinCSS’s team of experts discovered a flaw in the login feature via the Zalo application. |
When using the web-based Zalo application or some other applications in the VNG ecosystem, users are provided with the option “Login via Zalo application”. By exploiting the Open Redirection vulnerability in this login mechanism, the bad guys will get cookies that allow access to the account.
To do that, the bad guys need to redirect the authenticated user to a website under their control, thereby obtaining a token to log in to the account.
However, if you only use this vulnerability, it will be difficult for bad actors to lure users to access because the link will look very strange.
To make it more effective, the bad guys exploited a series of vulnerabilities, including one in the link content preview feature. This makes it possible for them to hide the phishing link, thereby enticing users to click on the link to display the real-life landing page content.
![]() |
A link to a phishing website disguised by VinCSS experts as the real thing through a hole in the link content preview feature on Zalo. |
When the user clicks and is redirected to the bad guy’s server, this website will automatically record the token and redirect the user to the real landing page. Because redirects are so fast, users won’t even know they’ve just come across a fake website.
VinCSS also discovered that Zalo is using a mechanism that allows users to re-login the Zalo web session with the cookie of the logged in session. However, this mechanism still works with sessions that have never been logged in, hiding the logged in message on the new device.
Two other vulnerabilities include a vulnerability related to session duration, and logging into ZaloPay with the token obtained also helps bad guys access and take control of the account for a long time, and log in to other applications of the company. Zalo, including ZaloPay.
According to VinCSS, when combining 5 vulnerabilities, it is possible to form an exploit chain aimed at Zalo users. That is the method and trick that the bad guys in the August 2021 incident did. Fortunately, the problem was then dealt with quickly.
![]() |
Up to now, all 5 vulnerabilities mentioned above have been fixed by Zalo Security team. Therefore, how hackers take advantage of this vulnerability has been published as a research paper. Photo: Trong Dat |
Sharing with VietNamNet about this story, security expert Ngo Minh Hieu (Hieupc) said that the above vulnerabilities are called client-side vulnerabilities.
To take advantage of these types of vulnerabilities, the bad guys need to perform a phishing attack (phishing), to entice and convince the victim to click on their link to succeed.
Compared with client-side vulnerability, server-side vulnerability is much more dangerous. This is a type of vulnerability that does not require much interaction from the user. Thankfully in the example above there is no server-side vulnerability.
To limit becoming a victim of such incidents, users need to know how to protect themselves by not clicking on strange links. Users should verify by calling for about 1-2 minutes with the sender of the link to verify this link.
Users can also get into the habit of accessing unfamiliar websites through the browser’s Incognito Mode. Another way is to access the website through the website http://browserling.com.
When downloading a strange file, users should get in the habit of scanning for viruses before opening this file. Virus scanning can be done easily through the website http://virustotal.com. This is one of the partners of the Anti-Phishing project (Chongluadao.vn). According to expert Ngo Minh Hieu, not only with links but also with downloaded files, users also need to be vigilant.
For Word and Excel document files with suspicious signs, users can open them with the Google Docs tool.
Besides, one of the easiest ways to increase security is to always keep a password of high difficulty and not share it with anyone, expert Hieupc recommends.
Trong Dat

Many Axie Infinity gamers have been scammed and lost money because of a rare incident
More than 150 Axie Infinity gamers have been scammed by hackers and appropriated up to nearly 100,000 USD.
.