Zoom is dealing with one hot potato after one another. They recently got out of a situation where its iOS app was found to be sharing data with Facebook secretly by updating the iOS app.
Now, they are dealing with another problem due to how the software’s Company Directory feature works.
Zoom groups users who signed up using the same company email domain together to make searches and calls easier with colleagues. So when users signs up with their private email address to join Zoom, they have had thousands of strangers added to their contact list as they were perceived to be working under the same organisation. With this, you can get insight to all subscribed users of that provider, which include their full name, physical address, profile picture and status.
However, there is a little bit of good news. Users of standard email providers such as Gmail, Hotmail and Yahoo are not affected as Zoom blacklisted them. Furthermore, the company officially requires users to submit a request for their non-standard domains to be blacklisted.
But that is not the end of bad news for the company.
It is also found that Zoom also converts any URLs into hyperlinks. This could then be used maliciously where cybercriminals could send you a Universal Naming Convention (UNC) path instead of a web link.
UNC paths are typically used for networking and file sharing. An unsuspecting user could click on the link sent via Zoom, which will then make Windows try to connect to the remote host using Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user’s login name and their NTLM password hash to this host. The NTLM password hash could easily be cracked and put your computer at risk from hacking.