[WARNING] Zoom Lets Attackers Steal Windows Credentials via UNC Links

[Porthos]

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

When using the Zoom client, meeting participants can communicate with each other by sending text messages through a chat interface.

When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser.

The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well.

https://www.bleepingcomputer.com/ne...kers-steal-windows-credentials-via-unc-links/

 

[JoeTech]

New things seem to be coming out about Zoom everyday now and it doesn’t seem like the company was prepared for this amount of attention. No surprise they valued ease of us over security and privacy.

 

[britechguy]

New things seem to be coming out about Zoom everyday now and it doesn’t seem like the company was prepared for this amount of attention. No surprise they valued ease of us over security and privacy.

Nor do I think they were prepared for a sudden, massive increase in users and usage. They're pretty much like all tech companies, where the more people using the more scrutiny you receive (and the more rapidly bugs come out not only because of that specific scrutiny, but because they get uncovered during use).

 

[Sky-Knight]

Yep, such is the nature of software.

 

[Porthos]

https://www.wordfence.com/blog/2020...kKR57nmfnWe7fJByVANWr_CNU0uP5A&_hsmi=85678857

Safety and Security While Video Conferencing with Zoom