Zoom security bug lets attackers steal Windows passwords

Zoom, the videoconferencing tool whose popularity just skyrocketed as most of the people around the world are working from home due to the coronavirus outbreak, is turning into a privacy and security nightmare.

BleepingComputer reported a vulnerability in Zoom that allows hackers to steal Windows login credentials from other users. The actual problem lies with Zoom’s chat handles links, as it converts Windows networking UNC paths into clickable links. So if a user clicks such a link, Windows will leak the user’s Windows login name and password.

The good news is that the password is hashed, but the bad news is that it is in most of the cases you can use a tool like Hashcat to reveal the password.

The vulnerability was first detected by security researcher @_g0dmode and verified by security researcher Matthew Hickey. Additionally, Hickey told the news outlet that this security bug can be used to launch programs on a victim’s computer when they click on a link, though Windows will at least give a security warning before launching the program.

As far as security vulnerabilities go, this one is quite bad, as it doesn’t require a lot of expertise to exploit. It does require a victim to actually click on a link, and it can be avoided by tinkering with Windows’ security settings, but it’s definitely something Zoom should fix soon by changing the way the platform’s chat handles UNC links.

In the meantime, for a quick fix, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and set to “Deny all”.

This is not the only issue that has been uncovered at Zoom in the past couple of weeks. Yesterday, The Intercept reported that Zoom does not use an end-to-end encrypted connection for its calls, despite claiming to do so. There’s also the issue of leaking users’ email addresses and photos to unknown parties, and the fact that the company’s iOS app, also sent data to Facebook.

Zoom also has a couple of other worrying privacy issues, and although this isn’t Zoom’s fault, it’s worth noting that hackers are using the app’s newfound popularity to trick users into downloading malware.


Thomas Burn is a blogger, digital marketing expert and working with Techlofy. Being a social media enthusiast, he believes in the power of writing.

Share via
Copy link