Now-patched flaw made it easy for attackers to impersonate legitimate organizations
Zoom has fixed a security issue in its ‘vanity URL’ feature that posed a potential phishing risk to users of the video conferencing platform.
Before the problem was resolved, Zoom’s customizable URL feature had the potential to be exploited by attackers, who were able to manipulate meeting ID links in order to trick users into visiting malicious phishing sites.
The explosive growth in Zoom usage during the coronavirus pandemic has been accompanied by an increase in new domain registrations with names including the word ’zoom’ – a symptom of attempts by cybercriminals to lay phishing traps.
Pride before a fall
Abuse of the Vanity URL feature in Zoom presented a potential vector of such attacks before the problem was remedied, thanks to input from security researchers at Check Point.
A Zoom vanity URL is a custom URL for an organization, such as: yourcompany.zoom.us.
The same technology also allows organization to create a dedicated and customized website for the video conferencing service.
The vanity URL mechanism also allows organizations to create a customized Zoom invitation links, a mechanism researcher at Check Point were able to show was open to abuse.
A blog post by the security firm explains: “Prior to Zoom’s fix, an attacker could have attempted to impersonate an organization’s vanity URL link and send invitations which appeared to be legitimate to trick a victim.
“In addition, the attacker could have directed the victim to a subdomain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization,” it added.
Israel-based Check Point reported the issue to Zoom, which acted to resolve the problem.
A representative of Check Point told The Daily Swig that the company “isn’t aware of any exploits of the flaw before it was fixed”.
This latest issue was discovered as a follow-on from work Check Point conducted in late 2019, when the company’s researchers worked with Zoom to fix a so-called ‘meeting crashing’ vulnerability.
This earlier security flaw allowed a hacker to simply guess a Zoom meeting URL and gatecrash (or ‘Zoombomb’) a meeting.