Zoom has fixed a security flaw that could have allowed attackers to launch hard-to-spot phishing attacks using the platform, according to researchers at Check Point who discovered and disclosed the flaw. The issue involved Zoom’s “vanity URL” feature that allows organizations to create custom meeting invitation links, which often include the organization’s name.
“Prior to Zoom’s fix, an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim,” Check Point explains. “In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization.”
The researchers stress that this would have made it fairly easy for attackers to construct convincing phishing links.
“Upon setting up a meeting, an attacker could change the invitation link URL to include any registered sub-domain,” the researchers write. “For instance, if the original invitation link was https://zoom[.]us/j/7470812100, the attacker could change it to https://<organization’s name>[.]zoom[.]us/j/7470812100. A victim receiving such an invitation would have had no way of knowing the invitation did not actually come from the actual organization. In addition, the attacker could also change the link from /j/ to /s/: https://<organization’s name>[.]zoom[.]us/s/7470812100. Given there are cases of organization’s logos appearing when entering such a URL, this could have added an additional layer of deception. Also, clicking on the ‘Sign in to Start’ button, would often lead the victim to the organization’s legitimate portal.”
The researchers conclude with examples of how this flaw could have been abused in the real world.
“There are many relevant day-to-day scenarios that could potentially have been leveraged using this impersonation method, which could have resulted in a successful phishing attempt – Especially if used to impersonate an enterprise’s Zoom Vanity URL,” the researchers say. “For example, an attacker could have introduced themselves as legitimate employees in the company, sending an invitation from an organization’s Vanity URL to relevant customers in order to gain credibility. This activity could have then been leveraged to stealing credentials and sensitive information, as well as other fraud actions.”
Zoom fixed this flaw after it was reported by Check Point, so this particular attack vector can no longer be used. However, the issue demonstrates how attackers can find novel ways to abuse technology and deceive users. New-school security awareness training can help your employees defend themselves against new phishing techniques by teaching them about the enduring aspects of social engineering.
Check Point has the story.