Attackers can use Zoom to steal users’ Windows credentials with no warning

published 01.04.2020 18:38

by Dan Goodin from arstechnica.com
Image of article 'Attackers can use Zoom to steal users’ Windows credentials with no warning'

While the attack works only against Windows users, Hickey said attacks can be launched using any form of Zoom, again, by sending targets a UNC location in a text message.

He showed in one tweet how the Zoom Windows client exposed the credentials that could be used to access restricted parts of a Windows network.

In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.

Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using.

When Windows users click on the link while they’re connected to certain unsecured machines or networks, the Zoom app will send the credentials over port 445, which is used to transmit traffic related to Windows SMB and Active Directory services.