Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

Two zero-day flaws have been uncovered in Zoom’s macOS client version, according to researchers. The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

The two flaws, uncovered by Patrick Wardle, principle security researcher with Jamf, emerge as Zoom comes under increased scrutiny over its security measures, particularly with more employees working from home over the past few weeks due to the coronavirus pandemic.

“Today, we uncovered two (local) security issues affecting Zoom’s macOS application,” said Wardle in a post this week. “Given Zoom’s privacy and security track record this should surprise absolutely zero people.”

The vulnerabilities come with the caveat that an attacker needs a local foothold on systems to exploit them – so bad actors would first need physical access to a victims’ computer. Another attack scenario could include a post-malware infection attack by a remote adversary with a preexisting foothold on the targeted system.

The first flaw stems from an issue with Zoom’s installer and allows unprivileged attackers to gain root privileges. The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app (leveraging preinstallation scripts) without any user interaction.

The API has actually been deprecated by Apple because the it does not attempt to validate a binary being executed at root. Because Zoom is using this API, it means “a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root,” said Wardle.

To exploit Zoom, the local, non-privileged attacker could simply modify a binary to include the runwithroot script during an install. Because it would then not be validated they would ultimately gain root access.

The second zero day flaw gives attackers Zoom’s mic and camera access, allowing for a way to record Zoom meetings, or snoop in on victims’ personal lives – sans a user access prompt.

Zoom requires access to a system microphone and camera due to its nature of being a web conferencing platform. While recent versions of macOS require explicit user approval for these permissions, Zoom has an “exception” that allows code to be injected by third party libraries. Wardle said a malicious third party library could be loaded into Zoom’s process/address space – automatically inheriting all Zooms access rights, and ultimately giving attackers control over these camera and microphone permissions.

“Due to an ‘exception’ entitlement, we showed how to inject a malicious library into Zoom’s trusted process context,” Wardle said. “This affords malware the ability to record all Zoom meetings, or, simply spawn Zoom in the background to access the mic and webcam at arbitrary times.”

Wardle said, “the former [flaw] is problematic as many enterprises (now) utilize Zoom for (likely) sensitive business meetings, while the latter is problematic as it affords malware the opportunity to surreptitious access either the mic or the webcam, with no macOS alerts and/or prompts.”



Other Security Flaws

Zoom security issues are snowballing. The FBI on Tuesday warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called “Zoom-bombing” attacks. These include a Massachusetts high school online classroom using Zoom, where an unidentified individual dialed in, yelled a profanity and then shouted the teacher’s home address in the middle of instruction, said the FBI’s report.

On Tuesday, security researchers uncovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users. The flaw was first discovered by a Twitter user under the handle _g0dmode, and then verified by security researcher Matthew Hickey, with cybersecurity firm Hacker House.

In chat messages on its platform, Zoom automatically converts UNC paths into clickable links. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.

Once a victim in the chat clicks on the linked UNC path, Windows will attempt to connect to the link using an SMB file sharing protocol, according to a report by Bleeping Computer. By default, this transmits the victim’s login name and password. The password is hashed via NTLM, but can easily be sniffed out and cracked by attackers (using free tools like Hashcat).

A separate Zoom issue, reported Wednesday by Motherboard, shows that Zoom is leaking the email addresses and photos of thousands of users. This is due to an issue in Zoom’s “Company Directory,” where the platform automatically adds people to other’s lists of contacts if they use an email address sharing the same domain.

“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section,” according to Zoom’s support page.
AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
IMF Upgrades Global Growth Forecast as Weaker Dollar Supports Outlook
House Republicans Move to Defund OECD Over Global Tax Dispute
France Opens Criminal Investigation into X Over Algorithm Manipulation Allegations
Trump Steamrolls EU in Landmark Trade Win: US–EU Trade Deal Imposes 15% Tariff on European Imports
ChatGPT CEO Sam Altman says people share personal info with ChatGPT but don’t know chats can be used as court evidence in legal cases.
Intel Reports Revenue Beats but Sees 81% Rise in Losses
Politics is a good business: Barack Obama’s Reported Net Worth Growth, 1990–2025
UN's Top Court Declares Environmental Protection a Legal Obligation Under International Law
"Crazy Thing": OpenAI's Sam Altman Warns Of AI Voice Fraud Crisis In Banking
The Podcaster Who Accidentally Revealed He Earns Over $10 Million a Year
UK Government Considers Dropping Demand for Apple Encryption Backdoor
Japanese Man Discovers Family Connection Through DNA Testing After Decades of Separation
Russia Signals Openness to Ukraine Peace Talks Amid Escalating Drone Warfare
Switzerland Implements Ban on Mammography Screening
Pogacar Extends Dominance with Stage Fifteen Triumph at Tour de France
President Trump Diagnosed with Chronic Venous Insufficiency After Leg Swelling
CEO Resigns Amid Controversy Over Relationship with HR Executive
NVIDIA Achieves $4 Trillion Valuation Amid AI Demand
Tulsi Gabbard Unveils Evidence Alleging Political Manipulation of Intelligence During Trump Administration
Centrist Criticism of von der Leyen Resurfaces as she Survives EU Confidence Vote
Trump Announces Coca-Cola to Shift to Cane Sugar in U.S. Production
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
Zelensky Reshuffles Cabinet to Win Support at Home and in Washington
"Can You Hit Moscow?" Trump Asked Zelensky To Make Putin "Feel The Pain"
Church of England Removes 1991 Sexuality Guidelines from Clergy Selection
Superman Franchise Achieves Success with Latest Release
Hungary's Viktor Orban Rejects Agreements on Illegal Migration
Air India Pilot’s Mental Health Records Under Scrutiny
Jamie Dimon Warns Europe Is Losing Global Competitiveness and Flags Market Complacency
Moonshot AI Unveils Kimi K2: A New Open-Source AI Model
Martha Wells Says Humanity Still Far from True Artificial Intelligence
Nvidia Becomes World’s First Four‑Trillion‑Dollar Company Amid AI Boom
EU Delays Retaliatory Tariffs Amid New U.S. Threats on Imports
Trump Proposes Supplying Arms to Ukraine Through NATO Allies
US Opens First Rare Earth Mine in Over 70 Years in Wyoming
Bitcoin Reaches New Milestone of $116,000
Severe Heatwave Claims 2,300 Lives Across Europe
Declining Beer Consumption Signals Cultural Shift in Germany
Emails Leaked: How Passenger Luggage Became a Side Income for Airport Workers
Polish MEP: “Dear Leftists - China is laughing at you, Russia is laughing, India is laughing”
Western Europe Records Hottest June on Record
BRICS Expands Membership with Indonesia and Ten New Partner Countries
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
China’s Central Bank Consults European Peers on Low-Rate Strategies
France Requests Airlines to Cut Flights at Paris Airports Amid Planned Air Traffic Controller Strike
Poland Implements Border Checks Amid Growing Migration Tensions
Emirates Airline Expands Market Share with New $20 Million Campaign
Amazon Reaches Milestone with Deployment of One Millionth Robot
Yulia Putintseva Calls for Spectator Ejection at Wimbledon Over Safety Concerns
House Oversight Committee Subpoenas Former Jill Biden Aide Amid Investigation into Alleged Concealment of President Biden's Cognitive Health
×