Zoom has gained popularity recently due to the coronavirus pandemic even though the video conferencing service was there for nine years. It is now the favorite app of millions of people due to its ease to use.
Zoom is an effective solution for conducting online conferences but still it is not the best choice when it comes to privacy and security.
According to a cybersecurity expert @_g0dmode, the Zoom client for Windows is vulnerable to the ‘UNC path injection‘ vulnerability that could allow remote attackers to steal login credentials for victims’ Windows systems. Security researchers Matthew Hickey and Mohamed A. Baset confirmed the vulnerability.
The attack uses the SMBRelay technique in which the login username and NTLM password hashes of a user trying to connect and download a file hosted on it, is automatically exposed.
Zoom for Windows supports remote UNC paths that converts potentially insecure URLs into hyperlinks for recipients in a personal or group chat.
In order to steal the login credential of user running zoom for Windows the attacker had to just send a crafted URL (i.e. \x.x.x.xabc_file) to the victim over its chat interface and wait for the victim to click it once.
The collected passwords are not plaintext, but it is easy to crack a weak password easily using password cracking tools like HashCat or John the Ripper.
In a shared environment the stolen credentials can be reused to compromise other users or IT resources and launch further attacks.
Zoom was notified of this bug, but the flaw is not yet patched. So, the users are advised to use the Zoom in their web browser instead of the client app or use some other video conferencing software.
The Windows users can use a secure password and also change the security policy settings to restrict the operating system from automatically passing their NTML credentials to a remote server.
Besides this issue in Zoom, another report states that Zoom doesn’t use end-to-end encryption to protect calling data of its users even though it boasts that “Zoom is using an end to end encrypted connection.”
Zoom also updated its iOS app last week when it was caught sharing users’ device information with Facebook servers, thereby failing to protect users’ privacy.