Don’t Click On Links In Public Zoom Chats Right Now

Don’t Click On Links In Public Zoom Chats Right Now
Photo: <a href="https://www.shutterstock.com/image-photo/bangkok-thailand-17-mar-2020-woman-1676224495">Shutterstock</a>

There happens to be a vulnerability in the way Zoom converts URLs into hyperlinks that hackers can use to collect your Windows login credentials and potentially access your desktop remotely. Until Zoom fixes this, resist the urge to click URLs from people you don’t trust—namely all those public Zoom meetings you’ve been attending to stave off coronavirus-induced boredom.

Zoom converts both internet URLs and UNC (universal naming convention) paths—such as “C:\Users\Public,” for example—into generic hyperlinks. Click one, and Windows will try to open these UNC hyperlinks to access remote files, which makes the PC’s username and password hash (basically the jumble of code containing a user’s password) visible to anyone watching from the other end. That password hash can be decrypted using easily available software, then used to access your PC and/or network remotely.

It’s unclear if Zoom company is working on a fix at this time—we hope they are—but there is a workaround that can keep you safe in the meantime. Fair warning: It’s a chore to set up.

The better approach is to pay attention to links dropped into chat. If it looks like a server, something like “\\uhoh.com.tk\images\awesome.jpg,” don’t click on it. To the untrained eye, that might look like a simple hyperlink to yet another website, but it’s instead pushes Windows to try to connect to that remove server via SMB—opening the door to the password attack. These same links can even be used to launch applications on a user’s computer, though at least you’ll get a pop-up warning you’ll have to confirm before the app launches.

How to prevent UNC hyperlinks from sharing your Windows login info

This change will not prevent Zoom from displaying UNC links, nor will it stop Windows from trying to access UNC pathways. However, it will prevent your Windows login credentials from being shared with the remote server or PC. Thanks to Bleeping Computer for originally pointing out the fix.

Screenshot: Brendan Hesse
  1. Search for “Registry Editor” in the Windows 10 toolbar.

  2. Right Click “Registry Editor” and Run as administrator. Click “Yes” if Windows asks if you want to let the app make changes to your computer.

  3. In the Registry Editor window, navigate to “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.”

  4. In the MSV1_0 folder, Right Click > New > DWORD (32 bit)

  5. Name the new key RestrictSendingNTLMTraffic.

  6. After it’s created, right-click RestrictSendingNTLMTraffic and click “Modify.”

  7. Set the “Value” field to 2. Click “OK” to close, then close the Registry Editor.

If this change causes any issues, it can be undone by simply deleting the RestrictSendingNTLMTraffic registry key you made from the MSV1_0 folder using Registry Editor.

Log in to comment on this story!