Security Experts:

SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineering

Vanity URLs offered by SaaS applications can be spoofed by malicious actors for phishing and social engineering, according to data security and analytics company Varonis.

Varonis researchers have analyzed the vanity URLs for Zoom, Box and Google services, and found that they can all be — or could have been before fixes were implemented — abused for malicious purposes.

A vanity URL is a personalized URL that makes it easier to remember links to files, landing pages and other resources. For example, the app.example.com/s/1234 URL can be personalized to varonis.example.com/s/1234. A vanity URL could also seem more trustworthy to users.

However, Varonis researchers found that SaaS applications often only validate the URI — the “/s/1234” part in the above example — but fail to validate the vanity URL’s subdomain. An attacker can abuse this by changing the subdomain in a link generated by their own SaaS accounts.

For example, in the case of file sharing URLs generated by the Box content management app, a custom subdomain can be used — such as yourcompany.box.com — to share and access documents. While this feature is only available to business-level plans, Varonis found that the generic link that can be created for file sharing by any user, which looks like app.box.com/s/<id>, could have been modified in some cases simply by prepending any company’s name and the link would still work.

An attacker, for instance, could have created a generic file sharing link and modified it to look like supplier_name.app.box.com/s/<id>. A link with such a name pointing to a file that instructs an employee in a company’s financial department to make a payment to a specified bank account is more likely to succeed than a random link.

The same method worked with public file request URLs from Box, which could have been used to lure people to phishing forms that instruct victims to hand over personal and financial information.

In the case of Zoom, Varonis tested the method with vanity URLs for meeting recordings and webinar registrations. An attacker can generate a link pointing to malicious content and modify it to apple.zoom.us, for example. In the case of webinar registration links, the attacker can abuse legitimate Zoom functionality to collect information from victims by requiring their data to register to the supposed webinar. The data requested during registration can be customized.

Spoofed Zoom vanity URL

This is not the first time researchers have looked at abusing Zoom’s vanity URLs. Check Point conducted a similar analysis back in 2020, but that focused on join meeting URLs, while Varonis has focused on webinar registration and meeting recording URLs.

Zoom users may see a warning when clicking on such links, but the researchers pointed out that people often click through these types of alerts without giving it too much thought.

Google does not offer a vanity URL feature, but Varonis discovered that links to a Google Form or Docs document can be modified to look like companydomain.docs.google.com.

Spoofed Google Docs vanity URL

Varonis reported its findings to affected vendors and they all implemented patches or mitigations. According to the cybersecurity firm, Box now prevents URL manipulation, Zoom still allows spoofing, but a warning is displayed to the user, and Google has taken steps to address the issue, but spoofing is still possible for Forms and Docs that use the “publish to web” feature.

Zoom and Google also paid out bug bounties, but Varonis is not disclosing the amounts.

“Vanity URLs exist in many SaaS applications and are not limited to just Box and Zoom,” said Tal Peleg, a senior security researcher at Varonis. “We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts.”

Related: Microsoft Warns of Spoofing Vulnerability in Defender for Endpoint

Related: Google to Run Experiment in Fight Against URL Spoofing in Chrome

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.