The video conferencing app Zoom as recently risen in popularity with people being forced to work from home. Its 100-participant limit and live file collaboration, make it one of the best video conferencing apps out there for work.
According to cybersecurity expert @_g0dmode, the Zoom video conferencing software for Windows is vulnerable to a classic ‘UNC path injection’ vulnerability that could allow remote attackers to steal victims’ Windows login credentials and even execute arbitrary commands on their systems. UNC or Universal Naming Convention is a filename format that is used to specify the location of files, folders, and resources on a local-area network.
The Zoom Windows client vulnerability lets attackers steal the Windows credentials of users who click on the link which is sent via the chats and is compromised. The attack is possible as Zoom for Windows supports remote UNC paths that convert potentially insecure URLs into hyperlinks when received via chat messages to a recipient in a personal or group chat.
The issue begins when Zoom converts networking UNC paths into a clickable link in the chat messages as well. A regular URL and UNC both are converted into clickable links. When a user clicks the UNC path link, Windows attempts to connect to the remote site using the SMB file-sharing protocol to open the remote file. Windows then by default will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password. The passwords can be dehashed within seconds thanks to our powerful CPUs and GPUs. The clickable UNC path can also launch programs on your computer. This way hackers can initiate malicious activities on your computer remotely.
Zoom is aware of this issue and is working on an update to fix the issue. If you still want to use Zoom without risking your information, you can disable NTML credentials being sent to remote servers. To do this , go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.