attackers can use Zoom to steal windows credentials.

[sgteaglefort]

Zoom is being used to  windows credentials.

 

Original article 

https://www.zdnet.com/article/windows-10-alert-zoom-client-can-leak-your-network-login-credentials/

Quote

On the heels of Zoom's iPhone privacy blunder, a security researcher has found that attackers can use the Zoom Windows client's group chat feature to share links that will leak the Windows network credentials of anyone who clicks on them. 

 

Zoom is again in hot water, this after many turn to it in a time of social distancing.

[lewdicrous]

So, they're getting sued (potentially) for sending information to facebook and now this?

Anything for education, I guess.

[StDragon]

Ahh, the NSA (is at it again. EternalBlue used with Ransomware anyone? Remember that? I do.

 

Note: not sure if Wardle was directly involved with any of that past stuff, but, it's the NSA, come on man!

[SpaceGhostC2C]

11 minutes ago, comander said:

Protip, Google has a "free" service that has higher video quality and is presumably more secure than Zoom. 

I'm sure one out of the 324 Google communication services will be good, the question is whether users will have time to find out which one before they kill it again.

 

 

Regarding Zoom, I first heard about it like two weeks ago as forced remote work kicked in. I think it's the best service I ever used for multi-way meetings in terms of stability and audio/image quality for everyone involved (I think every other service at most dealt with two-way connections, sometimes not even). I guess it was too good to be true: the more I learn about it, the less reliable it seems in every other way.

[BlueChinchillaEatingDorito]

2 hours ago, sgteaglefort said:

Zoom is being used to  windows credentials.

 

Original article 

https://www.zdnet.com/article/windows-10-alert-zoom-client-can-leak-your-network-login-credentials/

 

Zoom is again in hot water, this after many turn to it in a time of social distancing.

Isn't there also something regarding how the macOS installer for Zoom operates?

[hishnash]

 

 

29 minutes ago, BlueChinchillaEatingDorito said:

Isn't there also something regarding how the macOS installer for Zoom operates?

 

 

YES! They prompt for the admin users password (and do the install) before the user clicks install, when the installer window opens! they have literally done extra work so that the application is installed even if the user clicks cancel on the installer window! 

 

Zoom seems to be very poorly developed when it comes to being a good system application.

 

Through i am more worried about windows if any application that runs can access credentials that sounds like a windows bug, you cant assume every application running on the system can read all the users passwords. macOS will only let an application read passwords it set into the keychain. (even the the user is root) they will be promted by the system if they want to let this application read other values if the application attempts to read them.

 

[sgteaglefort]

3 hours ago, BlueChinchillaEatingDorito said:

Isn't there also something regarding how the macOS installer for Zoom operates?

Yes zoom is facing many flaws and failures at the moment.

[JoostinOnline]

On 4/1/2020 at 12:45 PM, comander said:

Protip, Google has a "free" service that has higher video quality and is presumably more secure than Zoom. 

 

 

It's great. 100,000 Google employees use it regularly. No one else does, but it works amazing for the people who made it. 

They have so many that I honestly have no clue which one you're talking about. I stopped using most Google services because they abandon and replace them at an alarming rate.

 

Edit: To me, this sounds more like a flaw with Windows and SMB than with Zoom.

Quote

When someone clicks on the UNC path link, Windows attempts to connect to the remote site using the SMB network file-sharing protocol. And by default, Windows then sends the user's login name and NT Lan Manager (NTLM) credential hash.   Additionally, whenever an SMB connection is made, it may leak the client's IP address, domain name, user name, and host name. 

 

It's also worth noting that Zoom hasn't been used to steal credentials, despite what the OP claims. It's just a possibility.

[vlads_]

This sounds more like a problem with SMB than with Zoom. Zoom allows SMB links which is bad security practice, I guess.

 

But SMB apparently straight up sends your hashed password across the network for no reason. Why? 

 

Other than that the only credentials the attacker can get is your IP address (which they can also get by linking to a website they host) and your username/Microsoft account name (??) (again, why is this being sent?).

 

If anyone with more SMB knowledge than me knows why this data is being sent, or any more details about what is happening, I'd really appreciate it. I'm quite confused. Also, did I misunderstand anything?

[mon1ka]

i want to honestly see how zoom responds to this. my sisters use it to keep in touch with friends, but they use mac so they may be ok.

[desertcomputer]

3 hours ago, mon1ka said:

i want to honestly see how zoom responds to this. my sisters use it to keep in touch with friends, but they use mac so they may be ok.

I mean I guess it fixed in latest update

 

https://9to5mac.com/2020/04/02/zoom-fixes-malware-like-macos-installer/

 

Meet jitsi is pretty good option if it just for keeping touch with friends.

[mon1ka]

19 hours ago, Philipaustin said:

I have switched to skype and google meets, for better security. 

i use discord and skype personally. mainly because i can trust the companies they're from

[Techstorm970]

When it comes out that Zoom is a bag of worms, but you're an undergraduate student whose university forces you to use it.

[Gegger]

my school district is starting zoom call learning, i'm resisting the urge to send a bunch of articles about this stuff to staff members

 

it's certainly better than skype which is laggy and buggy with choppy audio and unsynchronized video though

[5x5]

Seriously, is there anything left that attackers can't access with bloody Zoom??

[JoostinOnline]

5 hours ago, Gegger said:

my school district is starting zoom call learning, i'm resisting the urge to send a bunch of articles about this stuff to staff members

 

it's certainly better than skype which is laggy and buggy with choppy audio and unsynchronized video though

 

20 minutes ago, 5x5 said:

Seriously, is there anything left that attackers can't access with bloody Zoom??

You should read the article. This is a flaw with SMB (as I explained in a comment above yours), and Zoom hasn't been used to steal any credentials.

[Gegger]

1 minute ago, JoostinOnline said:

 

You should read the article. This is a flaw with SMB (as I explained in a comment above yours), and Zoom hasn't been used to steal any credentials.

i'm aware of that

 

but still, zoom has a bunch of problems that are hopefully being fixed or are fixed already, on OSX and Binbows

 

and while it hasn't been used to steal any credentials...yet...who knows what other bugs and vulnerabilities zoom has and it's just putting a bad look on their company

 

also it's past 4 am and if i'm not making any sense i'm sorry

[knightslugger]

https://waow.com/2020/04/12/milwaukee-election-officials-zoom-meeting-briefly-hacked/?fbclid=IwAR0SyuEPdV4rQ34XQQEqwGYRzU4PQFF6ktGmt-1-PmXxy_PdtOvhmZ09nvI

 

local news story about a Zoom hacking effecting a Milwaukee Election meeting.

[Energycore]

My workplace switched to Microsoft Teams when the news started to hit. I'm pretty satisfied with it honestly. Also includes slack-like chat functionality and other nice things.

[hishnash]

38 minutes ago, Energycore said:

My workplace switched to Microsoft Teams when the news started to hit. I'm pretty satisfied with it honestly. Also includes slack-like chat functionality and other nice things.

we use a mix of Slack and Teams, the thing teams lacks is the abily to draw on someons screen when they are screen sharing. This is a suppor usefull feature for small team coloboration, you migth say something like `i dont understand this`... and draw on something on thier screen. With teams you end up spending 2 mintues trying to get them to select and understand what it is you want to highlight... very anoying.

[Nowak]

My doctors here in southeastern Mass use Zoom to remotely meet with patients.

 

I'm so tempted to tell the next one I see that they should stop using it.