Update: After this story and others went live April 1, Zoom CEO Eric Yuan addressed Zoom security and other issues in a blog post. Part of the blog post detailed a bug fix to be released, which would fix the UNC vulnerability described in our original story, among other things. The fix appears to be pushing out automatically to users. PCWorld staff who’ve already received the fix report the version number as 4.6.9 (19253.0401).
An unpatched vulnerability within Zoom allows an attacker to drop a malicious link into a chat window and use it to steal a Windows password, according to reports.
A hacker could use an attack called a UNC path injection to expose credentials, according to an attack posted on Twitter and subsequently followed up with an additional video. According to The Hacker News, that’s because Windows exposes a user’s login name and password to a remote server when attempting to connect to it and download a file.
All an attacker needs to do is to send a link to another user and convince them to click it, for the attack to commence. Though the Windows password is still encrypted, the hack claims it can be easily decrypted by third-party tools if the password is a weak one.
As Zoom gains in popularity, it’s caught the eye of the security community, which is more closely examining the videoconferencing software for weaknesses. In addition to the risk of “Zoom bombing,” criticisms have been leveled at the software for claiming to be end-to-end encrypted, when in fact it actually isn’t. Last year, a flaw surfaced that potentially would allow remote users to join a Mac user to a call, then turn their camera on without permission. That flaw was patched. Zoom hasn’t, however, announced a fix for the current bug.
The Hacker News recommends either using the Windows security policy settings to turn off the automatic transmission of NTML credentials to a remote server, or else just use the Zoom client for the Web.