Don’t Click on Links in Public Zoom Chats Right Now

There is a vulnerability in the way Zoom transforms into hyperlinks that hackers can use to harvest your Windows credentials and potentially remotely access your desktop. Until Zoom fixes this, resist the urge to click on URLs from people you don’t trust, namely all those Zoom public meetings you attended, to prevent coronavirus-induced boredom.

Zoom converts both Internet URLs and UNC (Universal Naming Convention) paths such as “C: \ Users \ Public” to generic hyperlinks. Click one and Windows will try to open those UNC hyperlinks to access the remote files, making the PC username and password hash (basically a messy code containing the user’s password) visible to anyone looking from the other end. This password hash can be decrypted with readily available software and then used to remotely access your PC and / or network.

It is unclear if the zoom company is working on a fix at this time, we hope they are, but there is a workaround that might keep you safe at the same time. Honestly warning: this is tedious to set up.

Better to pay attention to the links thrown into the chat. If it looks like a server, something like “\\ uhoh.com.tk \ images \ awesome.jpg”, don’t click on it. To the untrained eye, this might seem like a simple hyperlink to yet another website, but instead, it nudges Windows to try to connect to that uninstall server via SMB, opening the door for a password attack. The same links can even be used to launch applications on the user’s computer, although at least you will receive a pop-up warning that you need to confirm before launching the application.

How to prevent UNC hyperlinks from sharing Windows login information

This change will not prevent Zoom from displaying UNC links, nor will it prevent Windows from trying to access UNC paths. However, this will prevent your Windows credentials from being passed on to the remote server or PC. Thanks to Bleeping Computer for initially pointing out the fix .

  1. Find “Registry Editor” in the Windows 10 toolbar.
  2. Right click on “Registry Editor” and run as administrator. Click Yes if Windows asks if you want to allow the application to make changes to your computer.
  3. In Registry Editor, navigate to Computer \ HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ MSV1_0.
  4. In the MSV1_0 folder, right click > New> DWORD (32 bit)
  5. Name the new key RestrictSendingNTLMTraffic .
  6. After creating it, right-click RestrictSendingNTLMTraffic and select Edit.
  7. Set the Value field to 2 . Click OK to close, then close Registry Editor.

If this change is causing any problems, you can undo it by simply deleting the RestrictSendingNTLMTraffic registry key you created from the MSV1_0 folder using a Registry Editor.

More…

Leave a Reply