-
Zoom bug allowed mimicking organizations; now fixed
Last updated on Jul 17, 2020, 12:50 am
-
Zoom video conferencing service has had plenty of trouble in keeping its platform safe from uninvited hackers and so-called 'Zoom-bombers'.
Now, in yet another security issue, researchers have flagged a bug in the service that opened a way for fraudsters to mimic legitimate organizations - something that could have led to major phishing attacks.
Here's all you need to know about it.
-
Issue
Issue with Vanity URL feature
-
The flaw, first detected by Check Point's Threat Intelligence arm, ties to the Vanity URL feature that Zoom offers to let companies create their own custom URLs and a branded landing page for meetings.
When this option is used, the URL to invite for a meeting includes the official domain and appears as https://organization_name.zoom.us/j/##########, instead of regular https://zoom.us/j/########## format.
-
Details
How it affected, led to mimicking of organizations
![How it affected, led to mimicking of organizations]( "How it affected, led to mimicking of organizations")
-
While looking into Zoom's security, Check Point's team found that the service didn't validate meeting IDs for vanity URLs.
As a result, they noted, any regular meeting invite could be modified to look like an official one.
All one had to do is simply create a meeting from a separate individual account and then manually add a registered domain into the invite URL.
-
Information
Dedicated Zoom web interfaces could also be targeted
-
The researchers further noted that a hacker could also target an organization's own Zoom web interface and "attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface."
-
Risk
Both could lead to phishing attacks
-
Both tricks opened a way for attackers to mimic legitimate organizations and trick any individual, be it their employees or partners, into joining a phoney meeting. This could have then led to the theft of confidential business information.
"A user receiving this invitation may not [even] recognize that the invitation was not genuine or issued from an actual or real organization," Check Point emphasized.
-
Fix
Now, the glitch has been fixed
![Now, the glitch has been fixed]( "Now, the glitch has been fixed")
-
That said, it must be noted that Check Point informed Zoom about the issue soon after its discovery and the latter has issued a fix for it.
"This was a joint-effort between Check Point and Zoom. Together, we've taken important steps to protect users of Zoom everywhere," said Adi Ikan, the Network Research & Protection Group Manager at Check Point.
