A Vanity URL flaw In Zoom could have let hackers and fraudsters mimic organizations for phishing and social engineering attacks
The researchers from cybersecurity firm CheckPoint disclosed a new flaw that could have been abused by hackers to mimic organizations and defraud/scam their employees. The flaw has since been fixed and was said to be minor and easy-to-exploit.
According to CheckPoint researchers, the flaw existed in the vanity feature that the Zoom video conferencing App allowed organizations to have. Zoom allowed organizations to create a ‘Vanity URL,’ which included their organization’s name instead of the default zoom URL in the Zoom video meeting invitations. The Zoom’s customizable URL feature dubbed Vanity URL lets organizations create a unique branded “yourcompany.zoom.us,” invitation link to the Zoom meeting instead of the regular zoom.us. For example, an invite from AndroidRookies for a Zoom meeting could look something like https://androidrookies.zoom.us/j/****, instead of regular https://zoom.us/j/**** format.
Before Zoom fixed the Vanity URL mechanism a potential hacker/fraudster could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim. In addition, the fraudster could lure the victim to a specially crafted website that could ask for a meeting ID. The victim would be under the impression that the Zoom invite came from a legitimate organization.
The security issue is focused on the sub-domain functionalities. There are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organization’s customized sub-domain web UI.
Checkpoint says that it has informed Zoom about the flaw and Zoom has fixed. “This security issue has been fixed by Zoom, so the exploits described are no longer possible,” Checkpoint says.