Another day, another Zoom security hole. The video conferencing service revealed it has patched a vulnerability that could’ve allowed attackers to impersonate legitimate business accounts in order to phish user credentials, steal data, and infect employees with malware.
The kink, which was discovered by security firm Check Point and disclosed to Zoom, essentially resided in the company’s “Vanity URL” feature which lets business users generate custom links for meetings — like yourcompany.zoom.us. Unfortunately, a shortcoming in the implementation made it possible to fake such invitations without the knowledge of potential victims.
An attacker could create a standard meeting link (like https://zoom.us/j/##########) and simply tack on any legitimate organization’s custom sub-domain in front of the URL (yourcompany.zoom.us/j/##########), and the meeting would still be accessible.
“Without cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization,” Check Point researchers note.
“Using either method a hacker could attempt to pose as an employee of a legitimate organization via Zoom, and give the hacker a vector for stealing credentials or sensitive information,” the researchers warn.
In addition to spoofing meeting links manually, attackers could also abuse Zoom’s custom web interface for businesses to trick users into entering malicious meetings.
“A user can enter any meeting ID in this screen, whether it was originally scheduled by the organization’s employee or not, and join the relevant Zoom session,” Check Point says. “An attacker could have invited the victim to join the session through the dedicated website, and the victim would have had no way of knowing the invitation did not actually come from the legitimate organization.”
Zoom has since fixed both shortcomings, but it remains unclear if hackers were able to exploit them in the wild. We’ve asked the company, and will update this piece accordingly if we hear back.
Despite experiencing massive growth during the coronavirus lockdown, Zoom has also attracted swathes of criticism for its poor security practices and false marketing claims. The company misleadingly claimed it comes with end-to-end encryption, but researchers were quick to point out that’s not the case.
The service’s iOS app was also caught secretly relaying data to Facebook, but Zoom later pulled the code responsible for that from its software.