Because of COVID-19, businesses had to turn into digital. Many events and courses have become virtual. With this digitalization, millions of people are using various communication tools. As a result, the number of Zoom users around the globe is increasing day by day. Zoom has been there for nine years; it became one of the most favorite communication tools during the coronavirus pandemic.
UNC path injection
It was confirmed by researcher Matthew Hickey and was demonstrated by Mohamed Baset that the Zoom video conferencing software for Windows is open to a classic ‘UNC path injection’ vulnerability. That means to allow remote attackers to steal victims’ Windows login credentials. In addition to this, the hacker can even execute arbitrary commands on their systems.
Via a chat interface, an attacker can send a crafted URL (i.e., \\x.x.x.x\abc_file) to Zoom user. It is enough to steal the Windows login credentials of a targeted user. If the user clicks one, the attacker-can control SMB share to automatically capture authentication data from Windows, without the knowledge of the targeted user.
At the same time, Google security researcher Tavis Ormandy confirmed that the flaw can also be exploited to launch any program already present on a targeted computer or execute arbitrary commands to compromise it remotely. After this bug has been discovered, Zoom’s CEO Eric Yuan sent a message to users about the bugs via a blog post.
According to Eric Yuan, on April 1, Zoom published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion. Also, the attendee attention tracker feature had been removed. The company published released fixes for both Mac-related issues raised by Patrick Wardle and released a fix for the UNC link issue. Permanently, they have removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.