Security Experts:

Zoom's Vanity URLs Could Have Been Abused for Phishing Attacks

An issue related to the Zoom feature that allows for the customization of meeting URLs could have been exploited for phishing attacks, Check Point reveals.

Zoom is a video conferencing service that has come under intense scrutiny after being widely adopted as the collaboration tool of choice by numerous organizations and end-users worldwide, amid the COVID-19 pandemic.

The recently identified security issue, Check Point says, is related to the Zoom Vanity URL, a custom URL (e.g. companyname.zoom.us) that organizations are required to use when looking to enable single sign-on (SSO).

The customizable vanity pages are rarely accessed by users, as they don’t normally need to type in the URL for the page to access a video meeting, but click on a provided link for that.

According to Check Point, an attacker looking to exploit the discovered issue would have pretend to be a legitimate employee within a company, then send invitations that appear to come from the company’s Vanity URL to individuals of interest.

However, although the invitation would seem as being sent from the legitimate Vanity URL of the spoofed organization, the URL would actually point to a subdomain registered by the attacker with a name similar to the one of the target.

By manipulating the link, the attacker could lure the user to their own meeting and trick them into handing over credentials or other sensitive information by making them believe that they are actually in a meeting with someone from the targeted company.

An attacker could also target the dedicated Zoom web interfaces that some organizations use for video conferencing to exploit the bug by redirecting the user to a malicious Vanity URL.

“Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization,” Check Point notes.

Zoom has added safeguards to ensure the protection of its users, the security firm reported.

“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented from exploiting Zoom for criminal purposes. Working together with Zoom’s security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service’s benefits,” Adi Ikan, Group Manager at Check Point Research, commented.

Related: Zoom Got Big Fast. Then Videobombers Made It Rework Security

Related: Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers

Related: Zoom Announces Better Encryption, Other Security Improvements

view counter