The issue comes into play if a user clicks on the UNC path link. At that point, Windows will try to connect to the remote site using the SMB file-sharing protocol to open the cat.jpg (in this example), and will also send a user's login name and NTLM password hash. There are a number of free tools available that could that could used to view the actual password.
BleepingComputer said it was able to verify the security flaw. Same goes for security researchers Matthew Hickey (@HackerFantastic on Twitter).
"Hi @zoom_US & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted)," Hickey states.
While dehashing passwords might sound like a lot of work, today's hardware can, in some cases, perform the task in a matter of seconds. And it's not just passwords that are at risk. According to Hickey, the UNC injects can launch programs on a local computer when someone clicks on a link, albeit with a security warning from Windows.
"Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter," Hickey told BleepingComputer.
For anyone who does not want to wait for a fix, there is a Group Policy workaround. Hit the link in the Via field below on instructions on configure a Group Policy to prevent NTLM credentials from being sent to remote servers.