Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

Zoom App Vulnerability Allow Hackers To Steal Your Windows Password

Previously alleged for providing its iOS users’ data to Facebook, the Zoom app now has critical vulnerabilities that can allow hackers to steal user credentials of the Windows.

The vulnerability in Zoom Windows client is said to be the UNC (Universal Naming Convention) path injection which is present in the chat option of the Zoom app.

Zoom users often share URLs in the chat option while communicating, these URLs are converted into hyperlinks for the users to open them in their default browser.

The issue present in the chat feature of Zoom Windows client is, it is also converting Windows networking UNC paths into clickable links.

This vulnerability is discovered by security researcher Mitch (@_g0dmode), and also confirmed by Hacker Fantastic.

A typical credential-stealing attack by exploiting Zoom Windows client app vulnerabilities involves:
  1. The UNC path link is shared by hackers into a Zoom Chat.
  2. That UNC path link gets converted into a clickable hyperlink (like URLs).
  3. When a user clicks on that path, the Windows will connect to the remote file/site provided by that UNC path using the SMB file-sharing protocol.
  4. When connecting to the remote file, Windows shares will share the user’s login name and also NTLM password hash.
  5. Then the hacker will crack the NTLM password hash using free tools like Hashcat to dehash to see the actual password of the user.

Google security researcher Tavis Ormandy also reproduced this error but using a DOS device path instead of a UNC path, where it also gets converted into a hyperlink and opens an application (a Calculator in this case) without prompting a user.

Zoom provided a statement on this, saying, “At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it,” told BleepingComputer.

As millions of users are using the Zoom app worldwide for chat and video conferencing, the FBI issued an alert related to another so-called Zoom vulnerability “Zoombombing” where the ongoing video conferences of the users are getting hijacked by hackers and showing pornographic videos and shouting profanities.


Share with your friends:

Leave a Reply

Your email address will not be published. Required fields are marked *