Hackers can steal Windows credentials via links in Zoom chat

Attack can be prevented by changing Windows settings, or through Zoom Web client

Credit: Zoom

An unpatched vulnerability within Zoom allows an attacker to drop a malicious link into a chat window and use it to steal a Windows password, according to reports.

A hacker could use an attack called a UNC path injection to expose credentials, according to an attack posted on Twitter and subsequently followed up with an additional video.

According to The Hacker News, that's because Windows exposes a user's login name and password to a remote server when attempting to connect to it and download a file.

Credit: HackerFantastic / Twitter

All an attacker needs to do is to send a link to another user and convince them to click it, for the attack to commence. Though the Windows password is still encrypted, the hack claims it can be easily decrypted by third-party tools if the password is a weak one.

As Zoom gains in popularity, it's caught the eye of the security community, which is more closely examining the videoconferencing software for weaknesses.

In addition to the risk of "Zoom bombing," criticisms have been levelled at the software for claiming to be end-to-end encrypted, when in fact it actually isn't.

Last year, a flaw surfaced that potentially would allow remote users to join a Mac user to a call, then turn their camera on without permission. That flaw was patched. Zoom hasn't, however, announced a fix for the current bug.

The Hacker News recommends either using the Windows security policy settings to turn off the automatic transmission of NTML credentials to a remote server, or else just use the Zoom client for the web.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftWindowszoom

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?