A flaw in Zoom video-conferencing software lets hackers, pranksters and “Zoom bombers” steal your passwords or possibly even run malware by tricking you to click on a link in a Zoom meeting’s chat window.

The problem is that Zoom doesn’t distinguish between web URLs like, say, http://www.foobar.com, and another kind of network link called a Universal Naming Convention (UNC) path, which might look like www.foobar.comevilstuffevilfile.exe on Windows. (Note that while URL links use forward slashes, UNC links use backward slashes.)

The UNC link will send your PC off on a quest to retrieve files hosted on a remote server, which could be controlled by the jerk who posted the UNC link in your Zoom meeting’s chat window. Your machine will try to log into the remote server using its Windows login credentials, and might try to run an application stored on the server.

What to do

To protect yourself, first of all, don’t click on links in Zoom chat windows that use backward slashes, and make sure that all the URLs you click on begin with “http” or “https”.

If you’re tech-savvy, then go into your firewall settings and block outbound port 445. And install and run one of the best antivirus programs to catch any malware that might come through.

If you’re hosting a Zoom meeting, do NOT make the meeting ID public, and password-protect it if you have a way to communicate the password to meeting participants beforehand. That will keep out miscreants who may try to crash the meeting.

How the attack works

If an attacker posted a UNC link in a Zoom meeting chat window, and you as a Zoom user clicked on the latter, and your Windows computer or firewall allowed network sharing over the internet, then your computer would try to access the designated files on the server at foobar.com using the Server Message Block (SMB) file-sharing protocol.

Your computer would try to log into the foobar.com server by sending your Windows username and a weakly encrypted form of your Windows password to the remote server.

That password might be encrypted using the Windows NTLM algorithm, which is very easy to “crack” to derive the actual password. If so, then the jerk who posted the UNC link can now log into your computer.

And if the UNC file path led to an application or other executable file on the foobar.com server, then the application — which could easily be malware — might open and run on your machine. The jerk who has your Windows login credentials could use that malware to remotely access your computer.

Video demonstration

This video, posted on YouTube by Mohamed A. Baset, shows a Mac on the left side of the screen participating in a Zoom meeting with a Mac running a Windows emulator on the right side of the screen. The Mac sends a UNC link pointing to the application “payload.exe” in the Zoom chat window.

The Windows user clicks on the link and, while Zoom initially hangs, it eventually opens the payload — a lightweight network-interface program called PuTTY — on the Windows virtual machine. That’s not a malicious application, but it could have been.

We haven’t tried to duplicate Baset’s attack, and to our knowledge no one else has replicated it yet, but we can’t imagine why it wouldn’t work. We asked Baset via Twitter to clarify that this could indeed be a malware attack, and he replied that it was.

Twitter exchange

This flaw in Zoom was first noticed on March 23 by Twitter user @_g0dmode, but it didn’t really get attention until yesterday (March 31), when Twitter user @hackerfantastic posted a screenshot of the exploit in action and alerted Zoom and the U.K.’s National Cyber Security Center.

Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMOMarch 31, 2020

Following up on @hackerfantastic’s tweet, Baset (@SymbianSyMoh) put up his YouTube video showing the same exploit forcing the targeted machine to open a remote application.

Not everyone on infosec Twitter was so impressed. Amit Serper (@0xAmit), vice president of security strategy at Boston security firm Cybereason, noted that the user would have to click on the UNC link and that the same flaw exists in Windows Explorer, the default Microsoft OS file manager.

1. Link has to be clicked2. Meeting has to be public for someone malicious to even join and post the link (which should probably be your in threat model anyhow)3. This is how windows explorer works, it’s vulnerable as well Conclusion: Stop using windows.#IHaveOpinions https://t.co/oUsz3td812April 1, 2020

Another Twitter user replying to Serper imagined that a lot of residential Internet Service Providers likely block outbound port 445 — used by SMB — by default, negating the attack vector for this exploit.

However, that’s not a given, and you can bet that jerks worldwide will be trying to use this exploit to attack Zoom users in public meetings starting today.

Security gloom might doom Zoom boom

This is just another embarrassing security or privacy revelation for Zoom, whose skyrocketing use during the coronavirus work-from-home lockdown has sent its stock soaring but has also focused the information-security world’s attention on its shortcomings.

In the past week, we’ve learned that anyone can “bomb” a public Zoom meeting; that Zoom sent iOS user profiles to Facebook; that Zoom’s “end-to-end” encryption is anything but; that it uses hacker-like methods to bypass normal macOS security precautions; that Zoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information; and that Zoom’s privacy policy (since revised) gave it the right to share your personal data with advertisers.

Meanwhile, thousands of Zoom-related domains have been registered in the past week, indicating that malicious hackers and other online criminals are planning to bomb Zoom users with phishing scams and malware.

“This week is going to be a critical one for Zoom and $ZM shareholders,” wrote former Facebook and Yahoo security chief Alex Stamos on Twitter yesterday. “This is going to get worse, as the entire infosec world descends on a spectacularly complicated product with lots of attack surface and some sketchy design trade-offs.

“Zoom is going to need to demonstrate more transparency,” Stamos added. “A documented 30 day security plan that includes a feature freeze, several professional pen-tests and rolling out coordinated disclosure policies would be smart.”

This week is going to be a critical one for Zoom and $ZM shareholders. This is going to get worse, as the entire infosec world descends on a spectacularly complicated product with lots of attack surface and some sketchy design trade-offs. An opportunity for a trust turn-around. https://t.co/jjcJS6eWrDApril 1, 2020