Zoom fixes ‘vanity URL’ security issue that left users exposed to phishing exploits

John Leyden 21 July 2020 at 16:02 UTC
Updated: 21 July 2020 at 17:13 UTC

Now-patched flaw made it easy for attackers to impersonate legitimate organizations

Zoom Vanity URL to conduct phishing attempts threat thwarted

Zoom has fixed a security issue in its ‘vanity URL’ feature that posed a potential phishing risk to users of the video conferencing platform.

Before the problem was resolved, Zoom’s customizable URL feature had the potential to be exploited by attackers, who were able to manipulate meeting ID links in order to trick users into visiting malicious phishing sites.

The explosive growth in Zoom usage during the coronavirus pandemic has been accompanied by an increase in new domain registrations with names including the word ’zoom’ – a symptom of attempts by cybercriminals to lay phishing traps.

Pride before a fall

Abuse of the Vanity URL feature in Zoom presented a potential vector of such attacks before the problem was remedied, thanks to input from security researchers at Check Point.

A Zoom vanity URL is a custom URL for an organization, such as: yourcompany.zoom.us.

The same technology also allows organization to create a dedicated and customized website for the video conferencing service.

The vanity URL mechanism also allows organizations to create a customized Zoom invitation links, a mechanism researcher at Check Point were able to show was open to abuse.

A blog post by the security firm explains: “Prior to Zoom’s fix, an attacker could have attempted to impersonate an organization’s vanity URL link and send invitations which appeared to be legitimate to trick a victim.

“In addition, the attacker could have directed the victim to a subdomain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization,” it added.

Read more of the latest security vulnerability news

Israel-based Check Point reported the issue to Zoom, which acted to resolve the problem.

A representative of Check Point told The Daily Swig that the company “isn’t aware of any exploits of the flaw before it was fixed”.

This latest issue was discovered as a follow-on from work Check Point conducted in late 2019, when the company’s researchers worked with Zoom to fix a so-called ‘meeting crashing’ vulnerability.

This earlier security flaw allowed a hacker to simply guess a Zoom meeting URL and gatecrash (or ‘Zoombomb’) a meeting.

RECOMMENDED Secure communication: Indian government seeks home-grown Zoom alternative


Source: The Daily Swig

Leave a Reply