Researchers have found previously undisclosed security flaws in Zoom Video Communications Inc.’s Mac and Windows applications that could be exploited by hackers for cyberattacks.

The vulnerabilities are likely to raise fresh concerns over the videoconferencing provider’s data protection practices, which are already the subject of scrutiny by the New York attorney general’s office.

Patrick Wardle, the principal security researcher at enterprise software maker Jamf Software LLC, today shared details about two security flaws in Zoom’s Mac application. Wardle told TechCrunch that using the exploits would require an attacker first to gain physical access to a target machine. That means they post a limited risk to the vast majority of Zoom users, but the vulnerabilities could theoretically still be harnessed in targeted snooping campaigns.

The first exploit makes it possible to inject malicious code into Zoom application files to compromise a Mac user’s webcam and microphone. The second exploit could enable a hacker to gain root access to a target machine. Attacks with root access can manipulate low-level components of the macOS operating system to various malicious ends, such as planting backdoors for future use. 

Separately, BleepingComputer reported late Tuesday on a security flaw in the Windows version of Zoom that may allow hackers to target users remotely.

The flaw exists in the Zoom client’s chat function. The video conferencing platform automatically turns links posted to a meeting’s chat window into clickable hyperlinks, a feature that would be harmless if not for the fact that the software also makes UNC paths clickable. A UNC path is essentially a link to a remote system that, if accidentally clicked on by an unsuspecting Zoom user, causes Windows to connect to the specified system over the web.

The operating system carries out the process by sending over the user’s login name and a hashed version of their password. Once in possession of the victim’s credentials, an attacker could easily unscramble the hashed password using any of several freely available decryption tools to gain the login credential for their Windows account.

The discovery of the security flaws will likely add more controversy to a week that has already seen the company take multiple hits to its public image. On Monday, the office of New York Attorney General Letitia James sent Zoom a letter requesting information about its security and privacy policies. The same day, the company was hit with a class-action lawsuit over the recent revelation that it had sent data about some users to Facebook without disclosing the practice in its privacy policy.

Zoom shares are down more than 6% today. The company’s stock has more than doubled since January thanks to surging demand for communications tools amid the coronavirus pandemic. 

Photo: Zoom