Zoom is a popular video conferencing software across the globe that are used by individuals across the globe to work from and to stay in touch with friends and family.
Checkpoint found a new vulnerability with Zoom that let attackers conduct successful phishing attempts. The vulnerability has been reported to Zoom and fixes issued.
Zoom Flaw With Vanity URL
The vulnerability resides with ‘Vanity URL,’ which is an option in Zoom, used to create a custom URL for your company. The custom URL should be like yourcompany.zoom.us instead of the regular one.
The vulnerability allows an attacker to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim.
Also, the attacker can redirect the victim to enter the meeting ID into the malicious Vanity URL than the actual web interface to join the session.
“The security issue is focused on the sub-domain functionalities described above. There are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organization’s customized sub-domain web UI,” Checkpoint said.
Two possible scenarios;
An attacker could change the invitation link URL to include any registered sub-domain of their choice, an original invitation link was https://zoom[.]us/j/7470812100 attacker can change to https://[.]zoom[.]us/j/7470812100.
They can also change from /j/(Join) to /s/(Sign in), upon receiving this victim has no clue of knowing the invitation did not come from the actual organization.
Another way is targeting the dedicated web UI, some organizations have dedicated sub-domain web UI for entering a meeting.
An attacker could also target this dedicated interface and redirect the user to enter the meeting into malicious Vancity URL, hereby the victim had no way of knowing the invitation did not come from the legitimate organization.
The attacks would result in a successful phishing attempt which would allow attackers to harvests sensitive information such as login credentials and other fraud actions.
“Our partnership with Zoom has provided Zoom users globally with a safer, simpler, and seamless communication experience,” said Adi Ikan, Network Research & Protection Group Manager in Check Point.
Earlier this month Zoom patched another “0day” flaw that let attackers execute arbitrary code on Windows computer.