Zoom is leaking your sensitive data to strangers, allowing hackers access to Windows password: Report

With lockdowns around the world forcing people to stay in, video conferencing app Zoom’s popularity has exploded like never before. This week,  **Zoom** **became the top free app** on the App Store and Google Play Store. Although, while on one hand, Zoom was becoming a popular choice for people trying to connect with friends and office colleagues, on the other hand, the app was found to be sending iOS users’ data to Facebook without their knowledge. Zoom, however, patched the issue soon after the discovery and refused any such activity. Now, just a week after that, a few security researchers claim to have found a bunch of other vulnerabilities in the app. [caption id=“attachment_8197001” align=“alignnone” width=“1024”]  Zoom video conferencing app[/caption] The first flaw was discovered by a security researcher who goes by the handle @g0dmode on Twitter, and it’s about UNC paths. Per the researchers, the Zoom on Windows is converting networking UNC paths into a clickable link in the chat message. Essentially, this means, that the Windows version of the app is allowing hackers to capture Windows passwords.

#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.

— Mitch (@_g0dmode) March 23, 2020

Turns out that @zoom_us UNC path rendering bug is even worse than initially observed, you can hide the UNC magic and completely disable the prompting for running code... (this will affect other applications in a similar way using RichText edit boxes etc., for all ye naysayers...) https://t.co/YqnjNy5RyO

— hackerfantastic.x (@hackerfantastic) April 2, 2020

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

Besides that, Zoom app on Mac, there are two distinct loopholes, which can allow an attacker to can gain access to the computer once exploited and install malware or spyware, without letting users know about the backdoor entry. Apparently, this loophole comes via the installer for the app, which can easily be injected with malicious codes. This flaw was spotted by researcher Patrick Wardle and was first reported by  TechCrunch.

TechCrunch/@zackwhittaker: "🍎 has pushed a silent update to all Macs removing a ...web server installed by Zoom"

How? MRTConfigData_10_14-1.45 (MRT is 🍎's built-in "Malware Removal Tool") added "MACOS.354c063", a new encoded signature & removal routine 😯😅

H/T @howardnoakley pic.twitter.com/RUCSDmR2sU

— Patrick Wardle (@patrickwardle) July 11, 2019

Another security researcher re-iterated the same issue.

Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M

— Felix (@c1truz_) March 30, 2020

Wardle found another bug in the Mac client, that could allow an attacker to inject malicious code to access the webcam and microphone of the system. Take a deep breath, because that’s not all! Another report by Vice claims that Zoom has an issue that is grouping individuals to a particular ‘Company Directory’, which is otherwise meant for users within the same company with similar email domain. Due to the issue, reportedly, personal information of users, such as email address and photo, is available to unknown users in an unsolicited manner.

Zoom responded to the report with a response saying that they had blacklisted the domain that were spamming users:

Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added. With regards to the specific domains that you highlighted in your note, those are now blacklisted.

Zoom also says that it allows users to request other domains to be removed from the Company Directory feature.