An Interest In:
Web News this Week
- March 16, 2024
- March 15, 2024
- March 14, 2024
- March 13, 2024
- March 12, 2024
- March 11, 2024
- March 10, 2024
Zoom patches Windows vulnerability that let attackers steal your Windows login from dodgy chat links
The suddenly popular videoconferencing app Zoom has issued a patch for a vulnerability in its Windows client that allowed attackers to steal the user's Windows login credentials from malicious chat links.
Hi @zoom_us & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
I made a simple demo of the latest Zoom UNC Path Injection Vulnerability, Take care and don't click on ANY UNC Path hyperlinks!
P.S. I used putty as a payload.exe which could be ANY_THING_ELSE.exe
— Mohamed A. Baset (@SymbianSyMoh) April 1, 2020
Zoom issued a fix for this and other bugs, promising better transparency going forward, reports :
Read the restAn unpatched vulnerability within Zoom allows an attacker to drop a malicious link into a chat window and use it to steal a Windows password, according to reports.
A hacker could use an attack called a UNC path injection to expose credentials, according to an attack posted on Twitter and subsequently followed up with an additional video. According to The Hacker News, that's because Windows exposes a user's login name and password to a remote server when attempting to connect to it and download a file.
----
Update: After this story and others went live April 1, Zoom CEO Eric Yuan addressed Zoom security and other issues in a blog post.
Original Link: https://boingboing.net/2020/04/03/zoom-windows-login.html