Researchers: Zoom’s Videoconferencing Software Lets Attackers Send Network Links to Steal Windows Credentials

The FPS Review may receive a commission if you purchase something after clicking a link in this article.

Image: Zoom

With COVID-19 locking workers at home, Zoom’s videoconferencing software is seeing a tremendous surge in usage and popularity, but it’s led to some serious scrutiny that isn’t working in the platform’s favor. Following allegations of data sharing, researchers now claim that Zoom has a security bug that lets attackers steal Windows logins and passwords.

This revolves around the fact that Zoom lets users paste UNC (Universal Naming Convention) paths into a chat window (e.g., \\images\cat.jpg), which are then automatically translated into clickable links. According to Bleeping Computer – which reported on security researcher @_g0dmode’s initial findings – “Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file. When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.”

This can also be exploited to trick a user into launching programs on a local computer. “For example, clicking on a UNC path like \\C$\windows\system32\calc.exe will attempt to launch the Windows Calculator executable on the computer,” BleepingComputer explains. (Windows will show a prompt before taking any action, however.)

There’s an ongoing debate as to whether this is actually a Windows issue – some users are blaming the OS for lax security measures (e.g., easily allowing credentials to be sent to remote servers). Others say that this is a whole lot of fuss over nothing, in that it’s synonymous to someone clicking on a suspicious email link.

In any case, there is an immediate fix for Zoom users who are paranoid about this so-called security bug.

For those who do not want to wait for a fix, there is a Group Policy that can be enabled that prevents your NTML credentials from automatically being sent to a remote server when clicking on a UNC link.

This policy is called ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ and is found under the following path in the Group Policy Editor.

Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options – Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

If this policy is configured to Deny All, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share.

It should be noted that when this policy is configured on domain-joined machines, it could cause issues when attempting to access shares. You can view this article to learn more about adding exceptions to the above policy.

If you are a Windows 10 Home user, you will not have access to the Group Policy Editor and will have to use the Windows Registry to configure this policy.

This can be done by creating the RestrictSendingNTLMTraffic Registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 key and setting it to 2.

Tsing Mui
News poster at The FPS Review.

Recent News