Researchers find URL spoofing flaws in Zoom, Box, Google Docs

Researchers have discovered several URL spoofing bugs in Box, Zoom, and Google Docs that would allow phishers to link to malicious content and make it appear to be hosted by an organization’s SaaS account .

Many attacks are made possible

The vulnerabilities result from a lack of validation of so-called vanity URLs, and they allow attackers with their own SaaS accounts to modify the URL of pages hosting malicious files, forms, and landing pages, in order to maximize their potential to mislead users.

“These spoofed URLs can be used for phishing campaigns, social engineering attacks, reputation attacks, and malware distribution,” Varonis researchers noted.

“Most people are more likely to trust a link on than a generic link. However, if someone can spoof that subdomain, trusting the vanity URL can backfire.

The researchers demonstrated the exploitability of these flaws by:

  • Hosted a malicious PDF and phishing form on their test Box account, then created public file sharing and file request URLs and changed the subdomain in those (and the links kept working!)
  • Create malicious registration pages, employee login pages, and pages hosting meeting recordings, and make their URL and even branding reflect that of a popular brand (Apple)
  • Create Google Forms and documents (the latter being shared via the “publish to web” option) impersonating a specific company/brand


URL spoofing vulnerabilities have already been patched by Box, but not all have been mitigated in Zoom and Google Docs.

“We can still reproduce the Google Docs and Google Forms bug. We can reproduce the Zoom webinar registration and recording under certain circumstances, but the user receives a warning message in all cases,” said the Varonis research team at Help Net Security.

“We are still in communication with Google and Zoom in case they need more details, but we have not been informed if they plan to make any additional fixes.”

Since vanity URLs exist in many different SaaS applications, they advise organizations to educate employees about the risk of blindly trusting links, including the organization’s subdomain or that of a popular brand. , and to be careful when asked to submit sensitive information through forms – even if those forms appear to be hosted by their company’s sanctioned SaaS accounts.

Comments are closed.