Zoom bug allowed mimicking organizations; now fixed
Zoom video conferencing service has had plenty of trouble in keeping its platform safe from uninvited hackers and so-called 'Zoom-bombers'. Now, in yet another security issue, researchers have flagged a bug in the service that opened a way for fraudsters to mimic legitimate organizations - something that could have led to major phishing attacks. Here's all you need to know about it.
Issue with Vanity URL feature
The flaw, first detected by Check Point's Threat Intelligence arm, ties to the Vanity URL feature that Zoom offers to let companies create their own custom URLs and a branded landing page for meetings. When this option is used, the URL to invite for a meeting includes the official domain and appears as https://organization_name.zoom.us/j/##########, instead of regular https://zoom.us/j/########## format.
How it affected, led to mimicking of organizations
While looking into Zoom's security, Check Point's team found that the service didn't validate meeting IDs for vanity URLs. As a result, they noted, any regular meeting invite could be modified to look like an official one. All one had to do is simply create a meeting from a separate individual account and then manually add a registered domain into the invite URL.
Dedicated Zoom web interfaces could also be targeted
The researchers further noted that a hacker could also target an organization's own Zoom web interface and "attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface."
Both could lead to phishing attacks
Both tricks opened a way for attackers to mimic legitimate organizations and trick any individual, be it their employees or partners, into joining a phoney meeting. This could have then led to the theft of confidential business information. "A user receiving this invitation may not [even] recognize that the invitation was not genuine or issued from an actual or real organization," Check Point emphasized.
Now, the glitch has been fixed
That said, it must be noted that Check Point informed Zoom about the issue soon after its discovery and the latter has issued a fix for it. "This was a joint-effort between Check Point and Zoom. Together, we've taken important steps to protect users of Zoom everywhere," said Adi Ikan, the Network Research & Protection Group Manager at Check Point.
