Since the COVID-19 pandemic took hold and forced many countries into lockdowns, communication technology has become vital. Hundreds of millions of people are at home and are using tech to talk to loved ones and to work. Services like Slack and Microsoft Teams have enjoyed surges in active users. However, perhaps the biggest winner from the COVID-19 outbreak has been Zoom.
The video communication platform has always been relatively popular, but it wasn’t a mainstream service. That has changed over recent weeks as Zoom has become the go-to communication platform for millions of new users.
However, Zoom was perhaps not really prepared for the major uptick in users. Certainly, the platform has had its share of problems over the last week. For example, bad actors have been infiltrating meetings and ZoomBoming participants. The company also removed data sharing with Facebook over concerns regarding GDPR rules.
It seems Zoom’s problems are not over and a vulnerability has been found that allows hackers to get the Windows login details of users. First spotted by Twitter user Mitch, the flaw was later confirmed and investigated by BleepingComputer.
According to the report, the problem centers on Zoom’s handling of URLs. Specifically, when a URL is sent in a chat, the platform transitions it into a link. However, it seems Zoom is also converting Windows networking UNC paths into links. When the UNC path link is clicked, Windows will trigger a remote site path for SMB file-sharing.
When this happens, Windows automatically sends login credentials including an NTM password hash. Hacking an NTM password is very easy and would show a bad actor the user’s password. As the report suggests, the simple way for Zoom to fix this is to stop converting UNC paths as links.
Boris Johnson Gaff
British Prime Minister Boris Johnson is among the multitude of people now using Zoom for communication. The politician is currently in isolation after contracting COVID-19 during while moving the United Kingdom into lockdown.
This morning I chaired the first ever digital Cabinet.
— Boris Johnson (@BorisJohnson) March 31, 2020
On Tuesday, Johnson tweeted an image of a Zoom meeting, which was the first virtual cabinet meeting following his isolation. However, the world leader forgot to remove the meeting ID number, sparking security concerns.
Users thought they would be able to tap into meetings in the future if they could guess the password, or if the meetings were open. However, the government confirmed the meetings are password protected
This seems to be true because the tweet is still up.