Zoom bug allowed anyone to use a company’s custom meeting URL

Cybersecurity professionals still face big problems with Zoom.

On Thursday, researchers from online security firm Check Point detailed their latest discovery: an exploit in Zoom that would have allowed any bad actor to use a company’s custom URL for their own video meeting.

Here’s what that means. Basically, businesses and organizations paying Zoom for video conferencing services can set up a unique custom subdomain to brand their meetings directly into the Zoom domain name. For example, a company can set up their live video meetings at the URL https://YourCompany.zoom.us/meetingID.

This bug allowed anyone to set up their own Zoom meeting and add any subdomain registered with Zoom. Suppose McDonald’s uses a custom subdomain mcdonalds.zoom.us for its meetings. Anyone could have started their own meeting, added the “mcdonalds” subdomain to their own personal Zoom meeting link, and the link would have worked. This URL would have led users who clicked on it to the bad actor’s personal Zoom meeting.

People attending the Zoom meeting could be tricked into believing that they were on a conference call with the company mentioned in the subdomain. Attackers could have used this ability to impersonate a company representative and social engineer of real employees or customers to leak sensitive information.

Additionally, there was a secondary way this exploit could have been abused as well.

Some companies with custom Zoom URLs set up branded web conferencing interfaces for their meeting connections. Continuing to use the example above, McDonald’s could have set up its own mcdonalds.zoom.us dashboard with the company logo and other branding to serve as a central space for its employees to log in and enter meeting credentials to attend.

The exploit allowed any identifying meeting to be entered into a company’s branded Zoom interface, whether or not it was a meeting hosted by a company employee. This means that an attacker could have started their own meeting, then directed a user to the mcdonalds.zoom.us dashboard to enter the attacker’s meeting ID, and the user would have entered the Zoom meeting from the attacker.

It’s easy to see how a user could easily think that if they entered a Zoom meeting through a full web interface with McDonald’s branding, at the URL mcdonalds.zoom.us, they would be convinced that it was an official company Zoom conference. .

Check Point provided some visuals of how the exploit could have been used in the video below.

“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it is critical to prevent threat actors from exploiting Zoom for criminal purposes,” Adi explained. Ikan, director of the Check Point group, in a press release.

According to Check Point, the company worked with Zoom to resolve the issue. The company said Zoom has also implemented additional security measures to prevent users from being affected by this issue.

Zoom has become an exceptional technological success during the coronavirus pandemic. video conferencing company added millions of new users within months at the start of the COVID-19 lockdowns.

However, the company also faces his to share of Security Questions also during this period. The most notable issue involved Zoom bombingwhere uninvited users would find themselves in a private Zoom conference and disrupt the meeting.

Since most of them came to light, Zoom has been committed to prioritizing security issues. This latest security flaw could have caused real problems, but luckily the issue can no longer be exploited.

UPDATE: July 17, 2020, 9:49 a.m. EDT

Zoom provided us with a statement on the vanity URL bug.

“Zoom has resolved the issue reported by Check Point and has implemented additional safeguards for the protection of its users,” a Zoom spokesperson said in an email. “Zoom encourages its users to carefully review the details of any meeting they plan to attend before joining, and to only join meetings of users they trust. We thank Check Point for bringing this issue to our attention. If you believe you have found a security issue with Zoom products, please send a detailed report to [email protected]”

Comments are closed.