The loophole gave cybercriminals an opening through specialized Zoom URL links.
Massively popular video conferencing platform Zoom has worked with cybersecurity company Check Point to resolve a glaring security issue centered on vanity URLs.
When told about the exploit by Check Point researchers, officials with Zoom put additional safeguards in place to protect users and the issue has now been fully addressed.
With the vanity URL feature, organizations can create custom URLs on Zoom like "http://yourcompany.zoom.us/" and customized versions of Zoom invitation links. Check Point researchers Adi Ikan, Liri Porat, and Ori Hamama said in a study that they worked with Zoom to identify two ways cybercriminals could exploit the widely used feature.
"Prior to Zoom's fix, an attacker could have attempted to impersonate an organization's Vanity URL link and send invitations which appeared to be legitimate to trick a victim," the study said.
"In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization."
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
If exploited, a cybercriminal would have been able to manipulate ID meeting links by posing as an employee of a potential victim organization via Zoom, giving the hacker a vector for stealing credentials or sensitive information.
To start the exploitation, an attacker would have begun by introducing themselves as legitimate employees in a company, according to the Check Point report. The hacker could then send an invitation from an organization's Vanity URL to relevant customers to gain credibility, and finally, the attacker could proceed to steal credentials and sensitive information, as well as commit other fraudulent actions.
Vanity URLs are required for configuration if you intend to turn on Single Sign On and organizations can also brand this vanity page to have customized logos. The vanity URL feature is only available for the business version of Zoom
It is unclear if the issue was ever exploited by cybercriminals, but hackers easily could change the invitation URL to include a registered sub-domain of their choice.
"In other words, if the original link was https://zoom.us/j/##########, the attacker could change it to https://.zoom.us/j/##########. Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization," the study said.
"Some organizations have their own Zoom web interface for conferences. A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface. As with the direct links attacks, without careful cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and have fallen prey to the attack."
The study included photos of the kinds of screens people would come across if the problem had been exploited. There are dozens of examples of what could be done with a problem like that and the report cites an example where an attacker could introduce themselves as "legitimate employees" in a company, sending an invitation from an organization's Vanity URL to relevant customers in order to gain credibility.
This alone could be used to steal the credentials and information of people who justifiably may not be able to tell the difference between real and fake links.
Usage of Zoom has skyrocketed since countries around the world instituted quarantine measures as a way to deal with the coronavirus pandemic. The platform went from around 10 million daily users in December 2019 to more than 300 million by April 2020.
The platform has faced widespread criticism for a number of failings as usage reached unprecedented levels. Check Point worked with Zoom earlier this year on another security issue, according to a blog post from the company.
A Zoom spokesperson confirmed that the issue had been addressed and that additional safeguards were "in place for the protection of its users."
"Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue. If you think you've found a security issue with Zoom products, please send a detailed report to firstname.lastname@example.org," the spokesperson said.
Ikan, the group manager at Check Point Research, said now that Zoom has become vital to millions of businesses, it was incumbent upon everyone to make sure it is safe.
"Because Zoom has become one of the world's leading communication channels for businesses, governments and consumers, it's critical that threat actors are prevented from exploiting Zoom for criminal purposes," Ikan said in a statement.
"Working together with Zoom's security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service's benefits."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)