Zoom Flaw could Steal Passwords and Install Malware: What to Do Now

Zoom Flaw could Steal Passwords and Install Malware: What to Do Now

UPDATE April 2: Zoom now says it has fixed this flaw

The flaw in the Zoom video conferencing software allowed hackers, pranksters, and "Zoom bombers" to steal passwords and possibly run malware by tricking people into clicking on links in the chat windows of Zoom meetings

The problem is that the Zoom meeting is not a "Zoom meeting

The problem is that Zoom does not distinguish between another kind of network link called, for example,http://wwwfoobarcom,のようなウェブURLと、Windows上ではwwwfoobarcomevilstuffevilfileexeのように見えるUniversal the Naming Convention (UNC) path (Note that URL links use forward slashes, whereas UNC links use backward slashes)

A UNC link sends your PC on a quest to retrieve a file hosted on a remote server Your machine will attempt to log into the remote server using your Windows login credentials and may attempt to run applications stored on the server

To protect yourself, first make sure that you do not click on links with backslashes in Zoom's chat window, and that all URLs you click on begin with "http" or "https"

If you are tech-savvy, block outbound port 445 in your firewall settings Then install and run the best anti-virus program to catch any malware that may be coming in

If you are hosting a Zoom meeting, do not make the meeting ID public and password protect it if there is a way to tell meeting participants the password in advance Doing so will prevent unscrupulous people from trying to crash your meeting

If an attacker posts a UNC link in the chat window of a Zoom meeting, and you, the Zoom user, click the latter, and your Windows computer or firewall allows network sharing over the Internet, your computer will attempt to access the specified file on the foobarcom server using the SMB (Server Message Block) file sharing protocol

Your computer will attempt to log in to the foobarcom server by sending a Windows user name and a weakly encrypted Windows password to the remote server

This password may be encrypted using Windows' NTLM algorithm If so, the moron who posted the UNC link could log into your computer [If the path of the UNC file led to an application or other executable file on the foobarcom server, that application (possibly malware) could open and run on your machine You will get a warning pop-up from Windows that software from the Internet is about to run, but most people will click "OK" The jerk with your Windows login credentials can use that malware to gain remote access to your computer

In this video posted on YouTube by Mohamed A Baset, a Mac on the left side of the screen is participating in a Zoom meeting with a Mac running a Windows emulator on the right side of the screen The Mac is in a Zoom chat window with the application " UNC link pointing to "payloadexe" is sent

When the Windows user clicks on the link, Zoom hangs at first, but eventually opens the payload (a lightweight network interface program called PuTTY) on the Windows virtual machine This is not a malicious application, but it could be

We have not attempted to reproduce Baset's attack, and to our knowledge no one has yet However, we cannot imagine why it would not work We asked Baset on Twitter and he said that this could indeed be a malware attack

This flaw in Zoom was first noticed on March 23 by Twitter user @_g0dmode, but Twitter user @hackerfantastic posted a screenshot of the actual exploit and alerted Zoom and the UK's National It didn't really get attention until yesterday (March 31), when the Cyber Security Center was alerted

Following @hackerfantastic's tweet, Baset (@SymbianSyMoh) uploaded a YouTube video showing the same exploit opening a remote application on the target machine

Not everyone at InfoSec Twitter was so impressed Amit Serper (@0xAmit), vice president of security strategy at Cybereason, a Boston-based security firm, said that users had to click a UNC link, and that the same flaw exists in the default file manager of the Microsoft OS, Windows He pointed out that the same flaw also exists in Explorer, the default file manager of Microsoft OS

Another Twitter user replying to Serper imagined that many home Internet service providers likely block outbound port 445 used by SMB by default, negating this exploit's attack vector [However, that is not an absolute, and there is no doubt that the jerks around the world are attempting to attack Zoom users with this exploit starting today

This is not only another embarrassing revelation in terms of security and privacy for Zoom, whose usage skyrocketed and stock price soared during the home stay caused by the Coronavirus, but it is also drawing attention to its shortcomings in the information security world Many are now looking for alternatives to Zoom

In the past week, we have learned that anyone can "blow up" a public Zoom meeting, that Zoom sent iOS users' profiles to Facebook, that Zoom's "end-to-end" encryption does not, and that normal macOS security precautions can be bypassed to use hacker-like methods; that Zoom automatically puts everyone who shares the same email domain into a "company" folder so they can see each other's information; that Zoom's privacy policy (which has since been revised) gives them the right to share personal data with advertisers and so on

Meanwhile, thousands of Zoom-related domains have been registered in the past week, indicating that malicious hackers and other online criminals are planning to plant phishing scams and malware on Zoom users

"This week will be an important week for Zoom and $ZM shareholders," former Facebook and Yahoo security chief Alex Stamos wrote on Twitter yesterday

"It's a big week for us because the entire information security world is descending on an incredibly complex product with many attack targets and sketchy design tradeoffs

"Zoom is going to have to show more transparency," Stamos added A documented 30-day security plan that includes a functional freeze, several rounds of expert pen-testing, and the rollout of a tailored disclosure policy would be smart"

Categories