An unpatched vulnerability within Zoom allows an attacker to drop a malicious link into a chat window and use it to steal a Windows password, according to reports.

hacker could use an attack called a UNC path injection to expose credentials, according to an attack posted on Twitter and subsequently followed up with an additional video. According to The Hacker News, that’s because Windows exposes a user’s login name and password to a remote server when attempting to connect to it and download a file.