Be careful which links you press in the chat of your next Zoom call — they might steal your credentials.
The social distancing rules enacting to curb the spread of the coronavirus have benefited some companies and harmed others. For Zoom, it's done both.
- Best video conferencing apps and software
- Working from home essentials for Coronavirus and beyond
- Zoom meetings are not as private as advertised: What you should do
On one hand, people are flocking to the video conferencing service in droves to chat with friends or join virtual business meetings. On the other, Zoom is under the spotlight like never before, and its skeletons are being revealed.
It started when The Intercept published a report questioning the company's advertised end-to-end encryption. In reality, the faux-encryption stops with Zoom, so staff members could theoretically view your content or Zoom could be compelled to turn your content over to law enforcement.
Now security researchers have discovered that attackers can use the Zoom Windows client group chat to share links that leak Windows network credentials. Like most video conferencing apps, Zoom has a chat feature that lets you send messages to anyone on the call. When you post a URL, it automatically transforms into a hyperlink so participants can quickly access the site.
That's harmless on its own, but security researcher @_g0dmode found that Zoom also converts URLs into Windows networking Universal Naming Convention (UNC) paths, which can be used to access network resources.
As BleepingComputer points out, if a user clicks on a UNC path link posted by a malicious actor, Windows will connect to a remote site with a user's login name and password, which can be dehashed with free tools in a matter of seconds.
A UNC path can also take an innocent Zoom user to a malicious program, opening the doors for a hacker to inflict serious harm.
How Zoom can protect users
There is an easy solution for this security vulnerability: don't turn UNC paths into clickable hyperlinks. If the potentially malicious path doesn't turn blue in the chat, people will be less inclined to see where it leads.
"Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter," security research Matthew Hickey (@HackerFantastic) told BleepingComputer.
Zoom hasn't acknowledged the problem, so your best bet is to follow Microsoft's instructions for restricting NTLM traffic (opens in new tab) to remote servers to prevent UNC link attacks in Zoom.
Zoom leaking user data
If that wasn't bad enough, Zoom was found to be leaking the personal information -- including emails and photos -- of thousands of users.
The problem stems from Zoom's "Company Directory," which links you with people who have the same email domain. Unfortunately, in some cases, users are being grouped with thousands of people who they don't work with.
"I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses." Barend Gehrels, a Zoom user who flagged the issue to Motherboard.
This comes just days after Zoom updated its iOS app after a Motherboard report found that analytics were being shared with Facebook. Zoom now faces a class-action lawsuit.