Cyber Security researchers have found a critical zero day vulnerability in zoom video conferencing app. This vulnerability was found in windows client of the zoom. It allows limited RCE remote code execution, which can allow leaking network information. The app has vulnerability in handling of Uniform Resource Identifier paths, which can result in Universal Naming Convention (UNC) injection.
Researcher called Matthew Hickey from the company found this vulnerability. The vulnerability was reported to zoom.
Anyone can add malicious links to chat like to expose computer name or domain or windows hashed password. These links can have Microsoft Excel, which can execute the malicious code when opened. Once anyone has your hash password it’s not very difficult to hack the network or other server. This also allows creating backdoor or run malware on target device.
The researcher showed a proof of concept via running the built in calculator app by sending a link
like: \\127.0.0.1\C$\Windows\System32\Calc.exe
If you send this link to anyone on zoom chat and if they click, it will open the calculator. Alert box might be displayed by Windows in this case but most for advance attacks that might not be the case.
The flaw affects Zoom’s Windows client only. On Apple’s macOS, the Zoom client doesn’t make the links clickable. But on iOS app the app shared all personal information of user with facebook
Other researchers have found that Zoom’s Company Directory feature leaks email addresses and photos, and that the video conferencing app does not use end-to-end encryption to protect calls from interception.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.