Saudi Press

Saudi Arabia and the world
Sunday, Jun 01, 2025

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

Two zero-day flaws have been uncovered in Zoom’s macOS client version, according to researchers. The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

The two flaws, uncovered by Patrick Wardle, principle security researcher with Jamf, emerge as Zoom comes under increased scrutiny over its security measures, particularly with more employees working from home over the past few weeks due to the coronavirus pandemic.

“Today, we uncovered two (local) security issues affecting Zoom’s macOS application,” said Wardle in a post this week. “Given Zoom’s privacy and security track record this should surprise absolutely zero people.”

The vulnerabilities come with the caveat that an attacker needs a local foothold on systems to exploit them – so bad actors would first need physical access to a victims’ computer. Another attack scenario could include a post-malware infection attack by a remote adversary with a preexisting foothold on the targeted system.

The first flaw stems from an issue with Zoom’s installer and allows unprivileged attackers to gain root privileges. The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app (leveraging preinstallation scripts) without any user interaction.

The API has actually been deprecated by Apple because the it does not attempt to validate a binary being executed at root. Because Zoom is using this API, it means “a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root,” said Wardle.

To exploit Zoom, the local, non-privileged attacker could simply modify a binary to include the runwithroot script during an install. Because it would then not be validated they would ultimately gain root access.

The second zero day flaw gives attackers Zoom’s mic and camera access, allowing for a way to record Zoom meetings, or snoop in on victims’ personal lives – sans a user access prompt.

Zoom requires access to a system microphone and camera due to its nature of being a web conferencing platform. While recent versions of macOS require explicit user approval for these permissions, Zoom has an “exception” that allows code to be injected by third party libraries. Wardle said a malicious third party library could be loaded into Zoom’s process/address space – automatically inheriting all Zooms access rights, and ultimately giving attackers control over these camera and microphone permissions.

“Due to an ‘exception’ entitlement, we showed how to inject a malicious library into Zoom’s trusted process context,” Wardle said. “This affords malware the ability to record all Zoom meetings, or, simply spawn Zoom in the background to access the mic and webcam at arbitrary times.”

Wardle said, “the former [flaw] is problematic as many enterprises (now) utilize Zoom for (likely) sensitive business meetings, while the latter is problematic as it affords malware the opportunity to surreptitious access either the mic or the webcam, with no macOS alerts and/or prompts.”



Other Security Flaws

Zoom security issues are snowballing. The FBI on Tuesday warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called “Zoom-bombing” attacks. These include a Massachusetts high school online classroom using Zoom, where an unidentified individual dialed in, yelled a profanity and then shouted the teacher’s home address in the middle of instruction, said the FBI’s report.

On Tuesday, security researchers uncovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users. The flaw was first discovered by a Twitter user under the handle _g0dmode, and then verified by security researcher Matthew Hickey, with cybersecurity firm Hacker House.

In chat messages on its platform, Zoom automatically converts UNC paths into clickable links. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.

Once a victim in the chat clicks on the linked UNC path, Windows will attempt to connect to the link using an SMB file sharing protocol, according to a report by Bleeping Computer. By default, this transmits the victim’s login name and password. The password is hashed via NTLM, but can easily be sniffed out and cracked by attackers (using free tools like Hashcat).

A separate Zoom issue, reported Wednesday by Motherboard, shows that Zoom is leaking the email addresses and photos of thousands of users. This is due to an issue in Zoom’s “Company Directory,” where the platform automatically adds people to other’s lists of contacts if they use an email address sharing the same domain.

“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section,” according to Zoom’s support page.
Newsletter

Related Articles

Saudi Press
0:00
0:00
Close
OPEC+ Agrees to Increase Oil Output for Third Consecutive Month
Turkey Detains Istanbul Officials Amid Anti-Corruption Crackdown
Meta and Anduril Collaborate on AI-Driven Military Augmented Reality Systems
EU Central Bank Pushes to Replace US Dollar with Euro as World’s Main Currency
European and Arab Ministers Convene in Madrid to Address Gaza Conflict
U.S. Health Secretary Ends Select COVID-19 Vaccine Recommendations
Trump Warns Putin Is 'Playing with Fire' Amid Escalating Ukraine Conflict
India and Pakistan Engage Trump-Linked Lobbyists to Influence U.S. Policy
U.S. Halts New Student Visa Interviews Amid Enhanced Security Measures
Trump Administration Cancels $100 Million in Federal Contracts with Harvard
SpaceX Starship Test Flight Ends in Failure, Mars Mission Timeline Uncertain
King Charles Affirms Canadian Sovereignty Amid U.S. Statehood Pressure
Iranian Revolutionary Guard Founder Warns Against Trusting Regime in Nuclear Talks
UAE Offers Free ChatGPT Plus Subscriptions to Citizens
Lebanon Initiates Plan to Disarm Palestinian Factions
Iran and U.S. Make Limited Progress in Nuclear Talks
The Daily Debate: The Fall of the Dollar — Strategic Reset or Economic Self-Destruction?
Trump Administration's Tariff Policies and Dollar Strategy Spark Global Economic Debate
OpenAI Acquires Jony Ive’s Startup for $6.5 Billion to Build a Revolutionary “Third Core Device”
Turkey Weighs Citizens in Public as Erdoğan Launches National Slimming Campaign
Saudi-Spanish Business Forum Commences in Riyadh
Saudi Arabia and Spain Sign MoU to Boost SME Sectors
UK Suspends Trade Talks with Israel Amid Gaza Offensive
Iran and U.S. Set for Fifth Round of Nuclear Talks Amid Rising Tensions
Russia Expands Military Presence Near Finland Amid Rising Tensions
Indian Scholar Arrested in Crackdown Over Pakistan Conflict Commentary
Israel Eases Gaza Blockade Amid Internal Dispute Over Military Strategy
President Biden’s announcement of advanced prostate cancer sparked public sympathy—but behind closed doors, Democrats are in panic
A Chinese company made solar tiles that look way nicer than regular panels!
Indian jet shootdown: the all-robot legion behind China’s PL-15E missiles
The Chinese Dragon: The True Winner in the India-Pakistan Clash
Australia's Venomous Creatures Contribute to Life-Saving Antivenom Programme
The Spanish Were Right: Long Working Hours Harm Brain Function
Did Former FBI Director Call for Violence Against Trump? Instagram Post Sparks Uproar
US and UAE Partner to Develop Massive AI Data Center Complex
Apple's $95 Million Siri Settlement: Eligible Users Have Until July 2 to File Claims
US and UAE Reach Preliminary Agreement on Nvidia AI Chip Imports
President Trump and Elon Musk Welcomed by Emir of Qatar Sheikh Tamim with Cybertruck Convoy
Strong Warning Issued: Do Not Use General Chatbots for Medical, Legal, or Educational Guidance
Saudi Arabia Emerges as Global Tech Magnet with U.S. Backing and Trump’s Visit
This was President's departure from Saudi Arabia. The Crown Prince personally escorted him back to the airport.
NVIDIA and Saudi Arabia Launch Strategic Partnership to Establish AI Centers
Trump Meets Syrian President Ahmad al-Shara in Historic Encounter
Trump takes a blow torch to the neocons and interventionists while speaking to the Saudis
US and Saudi Arabia Sign Landmark Agreements Across Multiple Sectors
Why Saudi Arabia Rolled Out a Purple Carpet for Donald Trump Instead of Red
Elon Musk Joins Trump Meeting in Saudi Arabia
Trump says it would be 'stupid' not to accept gift of Qatari plane
Quantum Computing Threatens Bitcoin Security
Michael Jordan to Serve as Analyst for NBA Games
×