Beautiful Virgin Islands

Monday, Oct 06, 2025

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

Two zero-day flaws have been uncovered in Zoom’s macOS client version, according to researchers. The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

The two flaws, uncovered by Patrick Wardle, principle security researcher with Jamf, emerge as Zoom comes under increased scrutiny over its security measures, particularly with more employees working from home over the past few weeks due to the coronavirus pandemic.

“Today, we uncovered two (local) security issues affecting Zoom’s macOS application,” said Wardle in a post this week. “Given Zoom’s privacy and security track record this should surprise absolutely zero people.”

The vulnerabilities come with the caveat that an attacker needs a local foothold on systems to exploit them – so bad actors would first need physical access to a victims’ computer. Another attack scenario could include a post-malware infection attack by a remote adversary with a preexisting foothold on the targeted system.

The first flaw stems from an issue with Zoom’s installer and allows unprivileged attackers to gain root privileges. The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app (leveraging preinstallation scripts) without any user interaction.

The API has actually been deprecated by Apple because the it does not attempt to validate a binary being executed at root. Because Zoom is using this API, it means “a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root,” said Wardle.

To exploit Zoom, the local, non-privileged attacker could simply modify a binary to include the runwithroot script during an install. Because it would then not be validated they would ultimately gain root access.

The second zero day flaw gives attackers Zoom’s mic and camera access, allowing for a way to record Zoom meetings, or snoop in on victims’ personal lives – sans a user access prompt.

Zoom requires access to a system microphone and camera due to its nature of being a web conferencing platform. While recent versions of macOS require explicit user approval for these permissions, Zoom has an “exception” that allows code to be injected by third party libraries. Wardle said a malicious third party library could be loaded into Zoom’s process/address space – automatically inheriting all Zooms access rights, and ultimately giving attackers control over these camera and microphone permissions.

“Due to an ‘exception’ entitlement, we showed how to inject a malicious library into Zoom’s trusted process context,” Wardle said. “This affords malware the ability to record all Zoom meetings, or, simply spawn Zoom in the background to access the mic and webcam at arbitrary times.”

Wardle said, “the former [flaw] is problematic as many enterprises (now) utilize Zoom for (likely) sensitive business meetings, while the latter is problematic as it affords malware the opportunity to surreptitious access either the mic or the webcam, with no macOS alerts and/or prompts.”



Other Security Flaws

Zoom security issues are snowballing. The FBI on Tuesday warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called “Zoom-bombing” attacks. These include a Massachusetts high school online classroom using Zoom, where an unidentified individual dialed in, yelled a profanity and then shouted the teacher’s home address in the middle of instruction, said the FBI’s report.

On Tuesday, security researchers uncovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users. The flaw was first discovered by a Twitter user under the handle _g0dmode, and then verified by security researcher Matthew Hickey, with cybersecurity firm Hacker House.

In chat messages on its platform, Zoom automatically converts UNC paths into clickable links. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.

Once a victim in the chat clicks on the linked UNC path, Windows will attempt to connect to the link using an SMB file sharing protocol, according to a report by Bleeping Computer. By default, this transmits the victim’s login name and password. The password is hashed via NTLM, but can easily be sniffed out and cracked by attackers (using free tools like Hashcat).

A separate Zoom issue, reported Wednesday by Motherboard, shows that Zoom is leaking the email addresses and photos of thousands of users. This is due to an issue in Zoom’s “Company Directory,” where the platform automatically adds people to other’s lists of contacts if they use an email address sharing the same domain.

“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section,” according to Zoom’s support page.
Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
Munich Airport Reopens After Second Drone Shutdown
France Names New Government Amid Political Crisis
Trump Stands Firm in Shutdown Showdown and Declares War on Drug Cartels — Turning Crisis into Opportunity
Surge of U.S. Billionaires Transforms London’s Peninsula Apartments into Ultra-Luxury Stronghold
Pro Europe and Anti-War Babiš Poised to Return to Power After Czech Parliamentary Vote
Jeff Bezos Calls AI Surge a ‘Good’ Bubble, Urges Focus on Lasting Innovation
Japan’s Ruling Party Chooses Sanae Takaichi, Clearing Path to First Female Prime Minister
Sean ‘Diddy’ Combs Sentenced to Fifty Months in Prison Following Prostitution Conviction
Taylor Swift’s ‘Showgirl’ Launch Extends Billion-Dollar Empire
Trump Administration Launches “TrumpRx” Plan to Enable Direct Drug Sales at Deep Discounts
Trump Announces Intention to Impose 100 Percent Tariff on Foreign-Made Films
Altman Says GPT-5 Already Outpaces Him, Warns AI Could Automate 40% of Work
Singapore and Hong Kong Vie to Dominate Asia’s Rising Gold Trade
Trump Organization Teams with Saudi Developer on $1 Billion Trump Plaza in Jeddah
Manhattan Sees Surge in Office-to-Housing Conversions, Highest Since 2008
Switzerland and U.S. Issue Joint Assurance Against Currency Manipulation
Electronic Arts to Be Taken Private in Historic $55 Billion Buyout
Thomas Jacob Sanford Named as Suspect in Deadly Michigan Church Shooting and Arson
Russian Research Vessel 'Yantar' Tracked Mapping Europe’s Subsea Cables, Raising Security Alarms
New York Man Arrested After On-Air Confession to 2017 Parents’ Murders
U.S. Defense Chief Orders Sudden Summit of Hundreds of Generals and Admirals
Global Cruise Industry Posts Dramatic Comeback with 34.6 Million Passengers in 2024
Trump Claims FBI Planted 274 Agents at Capitol Riot, Citing Unverified Reports
India: Internet Suspended in Bareilly Amid Communal Clashes Between Muslims and Hindus
Supreme Court Extends Freeze on Nearly $5 Billion in U.S. Foreign Aid at Trump’s Request
Archaeologists Recover Statues and Temples from 2,000-Year-Old Sunken City off Alexandria
China Deploys 2,000 Workers to Spain to Build Major EV Battery Factory, Raising European Dependence
Speed Takes Over: How Drive-Through Coffee Chains Are Rewriting U.S. Coffee Culture
U.S. Demands Brussels Scrutinize Digital Rules to Prevent Bias Against American Tech
Ringo Starr Champions Enduring Beatles Legacy While Debuting Las Vegas Art Show
Private Equity’s Fundraising Surge Triggers Concern of European Market Shake-Out
Colombian President Petro Vows to Mobilize Volunteers for Gaza and Joins List of Fighters
FBI Removes Agents Who Kneeled at 2020 Protest, Citing Breach of Professional Conduct
Trump Alleges ‘Triple Sabotage’ at United Nations After Escalator and Teleprompter Failures
Shock in France: 5 Years in Prison for Former President Nicolas Sarkozy
Tokyo’s Jimbōchō Named World’s Coolest Neighbourhood for 2025
European Officials Fear Trump May Shift Blame for Ukraine War onto EU
BNP Paribas Abandons Ban on 'Controversial Weapons' Financing Amid Europe’s Defence Push
Typhoon Ragasa Leaves Trail of Destruction Across East Asia Before Making Landfall in China
The Personality Rights Challenge in India’s AI Era
Big Banks Rebuild in Hong Kong as Deal Volume Surges
Italy Considers Freezing Retirement Age at 67 to Avert Scheduled Hike
Italian City to Impose Tax on Visiting Dogs Starting in 2026
Arnault Denounces Proposed Wealth Tax as Threat to French Economy
Study Finds No Safe Level of Alcohol for Dementia Risk
Denmark Investigates Drone Incursion, Does Not Rule Out Russian Involvement
Lilly CEO Warns UK Is ‘Worst Country in Europe’ for Drug Prices, Pulls Back Investment
Nigel Farage Emerges as Central Force in British Politics with Reform UK Surge
Disney Reinstates ‘Jimmy Kimmel Live!’ after Six-Day Suspension over Charlie Kirk Comments
U.S. Prosecutors Move to Break Up Google’s Advertising Monopoly
×