A previously undisclosed bug in Zoom’s customizable URL feature has been addressed that could have offered a hacker a perfect social-engineering avenue for stealing credentials or sensitive information.
Disclosed by Zoom and Check Point on Thursday, the security flaw existed in the “Vanity URL” feature for Zoom, which allows companies to set up their won Zoom meeting domain, i.e. “yourcompany.zoom.us.” Companies can add customized logos and branding to the page, and end users access the page and click meeting links within that page to connect to a Zoom call. Aside from the convenience driver for setting it up, the feature is also required for configuration if users want to turn on Single Sign On for the video service.
To mount an attack, cybercriminals would pose as a legitimate employee in a company, and then send a meeting invitation ostensibly from an organization’s Vanity URL to intended victims – customers, partners, suppliers and so on. However, the attackers would actually be using an invitation URL that included a registered sub-domain of their choice – not the real Vanity URL of the spoofed company.
“In other words, if the original link was https://zoom.us/j/##########, the attacker could change it to https://<organization’s name>.zoom.us/j/##########,” according to an analysis from Check Point issued Thursday. “Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization.”
A second way to initiate an attack would be to target dedicated Zoom web interfaces.
“Some organizations have their own Zoom web interface for conferences,” according to Check Point. “A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface. As with the direct links attacks, without careful cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and have fallen prey to the attack.”
Ultimately, once in the meeting, the attacker could continue to pose as a company employee, and proceed to extract credentials and sensitive information, as well as carry out other fraud actions, by asking certain questions or requesting that materials be sent over.
Check Point didn’t release technical details of the bug, but did note that “There are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organization’s customized sub-domain web UI.”
Zoom has fixed the issue on its end, closing the exploit capability off. Researchers at Check Point told Threatpost that they aren’t aware of in-the-wild attacks prior to the fix.
“Zoom has addressed the issue reported by Check Point and put additional safeguards in place for the protection of its users,” a Zoom spokesperson told Threatpost, adding that the firm did not consider the issue a zero-day bug. The person went on, “Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue. If you think you’ve found a security issue with Zoom products, please send a detailed report to security@zoom.us.”
“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented from exploiting Zoom for criminal purposes,” added Adi Ikan, group manager at Check Point, in a statement to media.
The firm noted in its analysis that while the video conferencing service was already popular before the pandemic, in the ‘new normal’ of social distancing it has “become the go-to platform globally for everything from high-level government and business meetings, to university and school classes, to family gatherings – meaning that Zoom usage has soared from 10 million daily meeting participants back in December 2019 to over 300 million in April 2020.”
Zoom Security Parade Continues
Zoom continues to face security issues, even as hackers continue to probe the platform for weaknesses.
Last week, the popular video service patched a zero-day bug in the Zoom Client for Windows that could have allowed remote code-execution. It impacted users of legacy versions of Windows, but was trivial to exploit, researchers said.
And in April, it addressed two zero-day flaws that were uncovered in Zoom’s macOS client version, which could have given local, unprivileged attackers root privileges, and allowed them to access victims’ microphone and camera. And also in April, several new databases were uncovered on underground forums sharing troves of recycled Zoom credentials.
In January, Zoom issued a bevy of security fixes after it came to light that the company’s platform used weak authentication that made it possible for adversaries to join active meetings. The issues stemmed from Zoom’s conference meetings not requiring a “meeting password” by default.
In March and April, there were widespread reports of “Zoom-bombing,” where trolls were hijacking online meetings in order to spread hate speech such as racist messages, threats of sexual harassment and pornographic images, which drove meeting participants offline or forced meetings to be abruptly cancelled.
Other woes have also plagued the company, having to do with privacy. Zoom this spring nixed a feature that came under fire for “undisclosed data mining” of users’ names and email addresses, used to match them with their LinkedIn profiles. It also removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage.
Meanwhile, crooks will continue to target the platform, according to Check Point.
“It’s no surprise that the explosive growth in Zoom usage has been matched by an increase in new domain registrations with names including the word ‘Zoom’, indicating that cybercriminals are targeting Zoom domains as phishing bait to lure victims,” the firm’s analysis noted. “We have also detected malicious files impersonating Zoom’s installation program.”