Check Point and Zoom identify a security issue in Zoom’s customizable URL feature. If exploited, a hacker would have been able to manipulate ID meeting links by posing as an employee of a potential victim organization via Zoom, giving the hacker a vector for stealing credentials or sensitive information.
Researchers at Check Point worked with Zoom to identify a security issue in Zoom’s customizable URL feature.
According to Zoom, a Vanity URL is a custom URL for your company, such as yourcompany.zoom.us. This vanity URL is required for configuration if you intend to turn on SSO (Single Sign On). Optionally, you can also brand this vanity page to have customized logo/branding, but generally your end-users do not type to access this vanity page directly. End-users click a link to join a meeting.
Two-ways to Exploit
The potential security issue could have allowed a hacker to attempt to manipulate a Vanity URL in two ways:
Check Point Research and Zoom worked together to resolve this issue, setting additional safeguards in place for the protection of users. Previously, Check Point Research worked with Zoom this past January to fix a different potential vulnerability that could have allowed hackers to join a meeting uninvited. The new potential Vanity URL security issue was found by researchers following up on the prior January collaboration.
Adi Ikan, Group Manager at Check Point Research said, “Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented from exploiting Zoom for criminal purposes. Working together with Zoom’s security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service’s benefits.”