On the heels of Zoom’s iPhone privacy blunder, a security researcher has found that attackers can use the Zoom Windows client’s group chat feature to share links that will leak the Windows network credentials of anyone who clicks on them.
Zoom is under extra scrutiny as usage of the video conference app has surged during the coronavirus COVID-19 outbreak.
The group chat feature lets users send messages to other participants in a meeting and converts URLs into hyperlinks for the recipient to open a web page in a browser.
But as BleepingComputer reports, the Zoom client not only converts normal URLs into a clickable link but also Windows networking Universal Naming Convention (UNC) paths.
SEE: 10 tips for new cybersecurity pros (free PDF)
UNC is used to specify the location of a network resource, such as a file that could be hosted on an attacker-controlled SMB (Server Message Block) server.
When someone clicks on the UNC path link, Windows attempts to connect to the remote site using the SMB network file-sharing protocol. And by default, Windows then sends the user’s login name and NT Lan Manager (NTLM) credential hash.
Additionally, whenever an SMB connection is made, it may leak the client’s IP address, domain name, user name, and host name.
While the hash is not in plaintext, a really bad password can be swiftly cracked in seconds on a computer with an average GPU using tools like the John the Ripper password cracker.
The bug was discovered by security researcher @_g0dmode. UK security researcher Matthew Hickey has demonstrated that the UNC patch injection issue affecting the Zoom client can be used to leak credentials for use in subsequent SMB Relay attacks. He also found the UNC path link can be used to launch an executable, though Windows will display an alert.
Hickey says Zoom’s fix should involve not rendering UNC paths as hyperlinks.
SEE: Coronavirus: Business and technology in a pandemic
ZDNet has asked Zoom whether it intends to fix this issue and will update the story if a response is received.
Microsoft’s instructions for restricting outgoing NTLM traffic to remote servers can be implemented to avoid UNC link attacks until Zoom issues a fix.