Check Point Helps Zoom Resolve Vanity URL Security Issue 

Check Point and Zoom identify a security issue in Zoom’s customizable URL feature. If exploited, a hacker would have been able to manipulate ID meeting links by posing as an employee of a potential victim organization via Zoom, giving the hacker a vector for stealing credentials or sensitive information.

• To start the exploitation, an attacker would have begun by introducing themselves as legitimate employees in a company
• Then, the attacker could send an invitation from an organization’s Vanity URL to relevant customers in order to gain credibility
• Finally, the attacker could proceed to steal credentials and sensitive information, as well as other fraud actions 

Researchers at Check Point worked with Zoom to identify a security issue in Zoom’s customizable URL feature.

According to Zoom, a Vanity URL is a custom URL for your company, such as yourcompany.zoom.us. This vanity URL is required for configuration if you intend to turn on SSO (Single Sign On). Optionally, you can also brand this vanity page to have customized logo/branding, but generally your end-users do not type to access this vanity page directly. End-users click a link to join a meeting.

Two-ways to Exploit

The potential security issue could have allowed a hacker to attempt to manipulate a Vanity URL in two ways:

• Targeting via direct links:  when setting up a meeting, the hacker could change the invitation URL to include a registered sub-domain of their choice. In other words, if the original link washttps://zoom.us/j/##########, the attacker could change it to https://.zoom.us/j/##########. Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization.   
• Targeting dedicated Zoom web interfaces:  some organizations have their own Zoom web interface for conferences. A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface.  As with the direct links attacks, without careful cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and have fallen prey to the attack.   

Check Point Research and Zoom worked together to resolve this issue, setting additional safeguards in place for the protection of users. Previously, Check Point Research worked with Zoom this past January to fix a different potential vulnerability that could have allowed hackers to join a meeting uninvited.  The new potential Vanity URL security issue was found by researchers following up on the prior January collaboration. 

Adi Ikan, Group Manager at Check Point Research said, “Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented  from exploiting Zoom for criminal purposes. Working together with Zoom’s security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service’s benefits.”