Page Loader
Home / News / Technology News / Zoom bug allowed mimicking organizations; now fixed
Zoom bug allowed mimicking organizations; now fixed

Zoom bug allowed mimicking organizations; now fixed

By Shubham Sharma
Jul 17, 2020
12:50 am
What's the story

Zoom video conferencing service has had plenty of trouble in keeping its platform safe from uninvited hackers and so-called 'Zoom-bombers'. Now, in yet another security issue, researchers have flagged a bug in the service that opened a way for fraudsters to mimic legitimate organizations - something that could have led to major phishing attacks. Here's all you need to know about it.

Issue

Issue with Vanity URL feature

The flaw, first detected by Check Point's Threat Intelligence arm, ties to the Vanity URL feature that Zoom offers to let companies create their own custom URLs and a branded landing page for meetings. When this option is used, the URL to invite for a meeting includes the official domain and appears as https://organization_name.zoom.us/j/##########, instead of regular https://zoom.us/j/########## format.

Details

How it affected, led to mimicking of organizations

While looking into Zoom's security, Check Point's team found that the service didn't validate meeting IDs for vanity URLs. As a result, they noted, any regular meeting invite could be modified to look like an official one. All one had to do is simply create a meeting from a separate individual account and then manually add a registered domain into the invite URL.

Information

Dedicated Zoom web interfaces could also be targeted

The researchers further noted that a hacker could also target an organization's own Zoom web interface and "attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface."

Risk

Both could lead to phishing attacks

Both tricks opened a way for attackers to mimic legitimate organizations and trick any individual, be it their employees or partners, into joining a phoney meeting. This could have then led to the theft of confidential business information. "A user receiving this invitation may not [even] recognize that the invitation was not genuine or issued from an actual or real organization," Check Point emphasized.

Fix

Now, the glitch has been fixed

That said, it must be noted that Check Point informed Zoom about the issue soon after its discovery and the latter has issued a fix for it. "This was a joint-effort between Check Point and Zoom. Together, we've taken important steps to protect users of Zoom everywhere," said Adi Ikan, the Network Research & Protection Group Manager at Check Point.