Special Feature
Part of a ZDNet Special Feature: Working from home: The future of business is remote

Windows 10 alert: Zoom client can leak your network login credentials

Users of the Zoom Windows client's chat feature need to be cautious about clicking on links.

The coronavirus could make remote work the norm, what businesses need to know
8:59

On the heels of Zoom's iPhone privacy blunder, a security researcher has found that attackers can use the Zoom Windows client's group chat feature to share links that will leak the Windows network credentials of anyone who clicks on them. 

Zoom is under extra scrutiny as usage of the video conference app has surged during the coronavirus COVID-19 outbreak

Working from home: The future of business is remote

Most every organization has been thrust into the future of work faster than prognosticators dared imagine. What will determine failure or success in this brave new world of work?

Read More

The group chat feature lets users send messages to other participants in a meeting and converts URLs into hyperlinks for the recipient to open a web page in a browser. 

But as BleepingComputer reports, the Zoom client not only converts normal URLs into a clickable link but also Windows networking Universal Naming Convention (UNC) paths.

SEE: 10 tips for new cybersecurity pros (free PDF)

UNC is used to specify the location of a network resource, such as a file that could be hosted on an attacker-controlled SMB (Server Message Block) server. 

When someone clicks on the UNC path link, Windows attempts to connect to the remote site using the SMB network file-sharing protocol. And by default, Windows then sends the user's login name and NT Lan Manager (NTLM) credential hash. 

Additionally, whenever an SMB connection is made, it may leak the client's IP address, domain name, user name, and host name. 

While the hash is not in plaintext, a really bad password can be swiftly cracked in seconds on a computer with an average GPU using tools like the John the Ripper password cracker.  

The bug was discovered by security researcher @_g0dmode. UK security researcher Matthew Hickey has demonstrated that the UNC patch injection issue affecting the Zoom client can be used to leak credentials for use in subsequent SMB Relay attacks. He also found the UNC path link can be used to launch an executable, though Windows will display an alert. 

Hickey says Zoom's fix should involve not rendering UNC paths as hyperlinks. 

SEE: Coronavirus: Business and technology in a pandemic

Zoom told ZDNet that it puts ensuring the privacy and security of its users and their data first.

"We're aware of the UNC issue and are working to address it," a Zoom spokesperson said.

Microsoft's instructions for restricting outgoing NTLM traffic to remote servers can be implemented to avoid UNC link attacks until Zoom issues a fix.