Check Point helps Zoom fix ‘Vanity URL’ security issue
The loophole gave cybercriminals an opening via specialized Zoom URL links.
Hugely popular video conferencing platform Zoom has worked with cybersecurity firm Check Point to address a glaring security issue centered around vanity URLs.
When made aware of the exploit by Check Point researchers, Zoom officials implemented additional safeguards to protect users and the issue has now been fully resolved.
With the Custom URL feature, organizations can create custom URLs on Zoom such as “http://yourcompany.zoom.us/” and custom versions of Zoom invite links. Check Point researchers Adi Ikan, Liri Porat and Ori Hamama said in a study that they worked with Zoom to identify two ways cybercriminals could exploit the widely used feature.
“Before the Zoom patch, an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations that appeared legitimate to deceive a victim,” the study said.
“Furthermore, the attacker could have directed the victim to a website dedicated to the subdomain, where the victim entered the relevant meeting ID and would not be notified that the invite was not from the legitimate organization. .”
SEE: Zero Trust Security: Cheat Sheet (Free PDF) (TechRepublic)
If exploited, a cybercriminal could have manipulated Identity Meeting Links by impersonating an employee of a potential victim organization via Zoom, giving the hacker a vector to steal credentials or sensitive information .
To start the exploitation, an attacker would have started by posing as legitimate employees of a company, according to the Check Point report. The attacker could then send an invite from an organization’s Vanity URL to the affected customers to gain credibility, and finally the attacker could proceed to steal credentials and sensitive information, as well as to commit other fraudulent actions.
Custom URLs are required for configuration if you intend to enable single sign-on and organizations can also customize this custom page to have custom logos. The Custom URL feature is only available for the Professional version of Zoom
It’s unknown if the issue has been exploited by cybercriminals before, but hackers could easily modify the invitation URL to include a registered subdomain of their choice.
“In other words, if the original link was https://zoom.us/j/##########, the attacker could change it to https://.zoom.us /j/## ######## Without special cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued by a real or actual organization,” the study states.
“Some organizations have their own Zoom web interface for conferencing. A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the real or genuine Zoom web interface. As with direct link attacks, without extensive cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and fall prey to the attack.
The study included photos of the types of screens people would encounter if the issue had been exploited. There are dozens of examples of what could be done with an issue like this and the report cites an example where an attacker could pose as “legitimate employees” at a company, sending an invitation from the ‘Vanity URL of an organization to relevant customers in order to gain credibility.
This alone could be used to steal the credentials and information of people who rightfully might not be able to tell the difference between real and fake links.
Zoom usage has skyrocketed since countries around the world instituted quarantine measures to deal with the coronavirus pandemic. The platform has grown from around 10 million daily users in December 2019 to over 300 million in April 2020.
The platform came under heavy criticism for a number of failures as usage reached unprecedented levels. Check Point worked with Zoom earlier this year on another security issue, according to a blog post from the company.
A Zoom spokesperson confirmed that the issue has been resolved and that additional safeguards are “in place for the protection of its users”.
“Zoom encourages its users to carefully review the details of any meeting they plan to attend before joining, and to only join meetings of users they trust. We thank Check Point for bringing this to our attention. If you believe you have found a security issue with Zoom products, please send a detailed report to [email protected],” the spokesperson said.
Ikan, the group leader at Check Point Research, said now that Zoom has become vital to millions of businesses, it’s up to everyone to make sure it’s safe.
“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it is critical to prevent threat actors from exploiting Zoom for criminal purposes,” said Ikan. in a press release.
“Together with Zoom’s security team, we’ve helped Zoom provide users around the world with a safer, easier, and more reliable communication experience so they can reap the full benefits of the service.”