Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Zoom client for Windows could allow hackers to steal users’Windows password

The popular Zoom app is under scrutiny, experts have discovered a vulnerability that could be exploited to steal users’ Windows passwords. Experts warn of a ‘UNC path injection’ flaw that could be exploited by remote attackers to steal login credentials from Windows systems. Security experts and privacy advocates believe that the Zoom is an efficient […]

zoom

The popular Zoom app is under scrutiny, experts have discovered a vulnerability that could be exploited to steal users’ Windows passwords.

Experts warn of a ‘UNC path injection’ flaw that could be exploited by remote attackers to steal login credentials from Windows systems.

Security experts and privacy advocates believe that the Zoom is an efficient online video communication platform, but evidently it has some serious privacy and security solutions.

The first expert to warn about the security flaw goes online with the handle Mitch (@_g0dmode).

The popular researchers Matthew Hickey (aka Hacker Fantastic) and Mohamed A. Baset also confirmed the existence of the flaw.

The latter also created a simple demo of the Zoom UNC path injection issue

The attack leverages the SMBRelay technique that provides username and NTLM password hashes to a remote SMB server when connecting to it.

The Zoom client for Windows supports remote Universal Naming Convention (UNC) paths and converts URLs into hyperlinks for recipients in a chat.

An attacker could steal the login credentials of a Zoom Windows user, by sending a crafted URL (i.e. \\x.x.x.x\zyz) to the victim via chat and trick the victim into clicking it.

The attack could allow capturing the hashed passwords that could be cracked using specific tools like John the Ripper.

The experts reported the issue to Zoom, but the vulnerability has yet to be fixed.

In January, experts discovered another flaw in the popular video conferencing software that could be exploited to join meetings and view all content shared by participants.

The issue allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – video communication, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]