Security researchers have discovered a vulnerability in the Zoom Windows client, which could allow attackers to steal the Windows login credentials of users who click on the link.
According to security researchers Matthew Hickey (@HackerFantastic) and Mitch (@_g0dmode0), the application’s chat feature is vulnerable to UNC path injection, enabling attackers to capture the NTLM password hashes every time someone clicks on a link within messages.
The group chat feature allows users send messages to other participants in a meeting and converts URLs into hyperlinks for the recipient to open a web page in a browser, but, as the researchers discovered, the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well.
As Bleeping Computer explains, when a user clicks on the UNC path link, Windows attempts to connect to the remote site using the SMB network file-sharing protocol to open the remote cat.jpg file. By default, Windows then sends the user's login name and NT Lan Manager (NTLM) credential hash, which can be cracked with the help of freely available tools such as Hashcat to dehash the user’s password.
Additionally, attacker can use the UNC injects to launch programs on a local computer when a link is clicked.
The researchers say to remedy this issue Zoom's fix should involve measures, which prevent the chat system from converting UNC paths into clickable hyperlinks.