Zoom has once again made it to the news owing to another privacy issue. As discovered, Zoom client on Windows exposes users’ Windows credentials to potential attackers via UNC links.
Zoom Client Exposes Windows Credentials
Bleeping Computer has recently revealed how Zoom client on Windows exposes credentials to an attacker.
As revealed, the problem exists because of messages with URLs or regular paths in the app convert into clickable links automatically in the Zoom app. While that helps a user in opening a link quickly in the browser, for non-URLs or Windows networking UNC paths, this leads to weird behavior. As explained by Lawrence Abrams,
If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file.
While doing so, Windows also shares the users’ credentials (login name and NTLM password hash). Hence, an attacker may easily dehash the passwords using any tools such as Hashcat. With GPUs, such tools would not take long to crack the password hashes.
The bug first caught the attention of a security researcher with alias g0dmode on Twitter.
Later, another researcher Matthew Hickey demonstrated the UNC injection in Zoom to capture NTLM password hashes.
Such a UNC injection may also allow an attacker to execute arbitrary codes on the target device.
Do This To Mitigate Until A Fix Is Available
For now, this remains an unpatched issue awaiting a fix from Zoom which should prevent the automatic conversion of UNC paths into clickable links. Though, Zoom has confirmed in a statement to Bleeping Computer that they are working on a fix.
At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it.
Until then, users can mitigate this problem by following Microsoft’s instructions to restrict NTLM credentials from automatic sharing.
This news came right after Zoom addressed iOS users’ data-sharing issue with Facebook via their app.
Let us know your thoughts in the comments.