Zoom security bug lets attackers steal Windows passwords.

Zoom security bug lets attackers steal Windows passwords


Zoom, the videoconferencing software that's skyrocketed in popularity as much of the globe sits at home due to the coronavirus outbreak, is quickly turning into a privacy and security nightmare.

BleepingComputer reports about a newly found vulnerability in Zoom that allows an attacker to steal Windows login credentials from other users. The problem lies with the way Zoom's chat handles links, as it converts Windows networking UNC (Universal Naming Convention) paths into clickable links. If a user clicks on such a link, Windows will leak the user's Windows login name and password.

The good thing is that the password is hashed; but the bad thing is that it is in many cases simple to reveal it using password recovery tools such as Hashcat.

The vulnerability was first found by security researcher @_g0dmode and verified by security researcher Matthew Hickey. Additionally, Hickey told the news outlet that this vulnerability can be used to launch programs on a victim's computer when they click on a link, though Windows will (by default) at least give a security warning before launching the program.

As far as security vulnerabilities go, this one is pretty bad, as it doesn't require a lot of knowledge to exploit. It does require the victim to actually click on a link, and it can be mitigated by tinkering with Windows' security settings, but it's definitely something Zoom should fix by changing the way the platform's chat handles UNC links.

In the meantime, for a quick fix, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and set to "Deny all".

Mashable has contacted Zoom for comment on this story, and we'll update it when we hear back.


This is not the only privacy/security-related issue that has been unearthed at Zoom in the past couple of weeks. Just yesterday, The Intercept reported that Zoom doesn't actually use an end-to-end encrypted connection for its calls, despite claiming to do so. There's also the issue of leaking users' emails and photos to unrelated parties, and the fact that the company's iOS app, until recently, sent data to Facebook for no good reason.

Zoom software also has a couple of worrying privacy features, and although this isn't Zoom's fault, it's worth noting that hackers are using the app's newfound popularity to trick users into downloading malware.

Comments

  1. My department is recommending it to teach students.

    ReplyDelete
    Replies
    1. Im hhaving classes everyday screening on it

      Delete
    2. it’s not recommended for us...

      Delete
  2. Yea but zoom is so convenient. I will wait for them to fix it

    ReplyDelete
  3. They are going from bad to worse.

    ReplyDelete
  4. Good move Windows SKype LOL

    ReplyDelete
  5. Thank god I only use Apple

    https://giphy.com/gifs/apple-Vm0ywNuVAHkEU

    ReplyDelete
  6. Use Gotomeeting..

    ReplyDelete
  7. Mashable why are you so anti zoom

    ReplyDelete
  8. How does one fix on iPad? The fix they gave is for computer desktop

    ReplyDelete
    Replies
    1. stop using it!

      Delete
    2. I do belive the bug/security issue applies only on Windows. But i would consider other security and privacy issues..

      Delete
    3. the kids do Play dates. It’s the only thing keeping a bond with them. They play hangman and charades.

      Delete
  9. it's easy to trust the big players, Zoom, Skype and many others, because everyone does it !.
    This bug is not the first from Zoom. In my opinion, zoom is not a first choice due to security and integrity. I recommend for example - whereby or an entirely P2P (Peer to Peer) based, and open-source code solution such as this https://kollokvium.herokuapp.com/, they may not be as polished and elegant, but clearly worth a try.

    ReplyDelete
  10. Those using Zoom for online workouts or meetings should read this.

    ReplyDelete
  11. What the h.... :( :( :(

    ReplyDelete
  12. And thia is currently the app that I use to speak to IT.

    ReplyDelete
  13. Zoom get a shot by public.

    ReplyDelete
  14. For those ZOOM user... please be alert...

    ReplyDelete
  15. For a quick fix, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and set to "Deny all".

    ReplyDelete
  16. I’ll just leave this here

    ReplyDelete
  17. dear zoomers ...let's hear your views on this

    ReplyDelete
  18. I have read a few articles about the weak security and vulnerability of Zoom for a while now. I hope it isnt true.

    ReplyDelete
  19. many companies blindly switched to this

    ReplyDelete
  20. Eiiii.... just When I am planning to use it?

    ReplyDelete
  21. 자꾸 나오는 줌 취약점. 역시 관심받는건 위험하다고 해야할까..

    ReplyDelete
  22. Well,

    Looks like an alternative to Zoom is needed. :(

    ReplyDelete
  23. I hear a lot of talk about Zoom. May want to look into this.

    ReplyDelete
  24. Look out folks if you use this...

    ReplyDelete
  25. Everyone out there who are using zoom, be aware,

    ReplyDelete
  26. Be careful everyone #privacy #cybersecurity

    ReplyDelete
  27. :(
    This one is pretty bad, folks.

    ReplyDelete
  28. For anyone using Zoom, good info to know.

    ReplyDelete
  29. commercial muna...
    ...for all Zoom users out there...

    ReplyDelete
  30. for a quick fix, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and set to "Deny all".

    ReplyDelete
  31. Well now this sucks

    ReplyDelete

Post a Comment

Stay informed!