- Check Point says Zoom Vanity URL could’ve been manipulated in two ways
- Both the methods could’ve led to potential phishing attacks
- Zoom had earlier fixed a Zoomboming issue with Check Point’s help
Zoom along with the cybersecurity company Check Point has fixed an issue with its vanity URLs that could have potentially allowed hackers to manipulate meeting ID links for phishing purposes. If users had accepted or clicked on the particular malicious vanity URL, attackers could’ve possibly injected malware into the device to carry out a phishing attack. A vanity URL is described as a custom URL used by brands for marketing purposes. It essentially allows users to remember or find a specific page within the website, such as “http://[yourcompany.zoom.com].zoom.com.” According to Check Point, this vulnerability could’ve been manipulated in two ways.
The details about Zoom’s Vanity URL vulnerability fix were shared by Check Point in blog post on Thursday.
“This was a joint effort between Check Point and Zoom. Together, we’ve taken important steps to protect users of Zoom everywhere,” Network Research & Protection Group Manager at Check Point, Adi Ikan stated in the blog post.
Vanity URL vulnerability
As mentioned, the vulnerability could have allowed hackers to manipulate a vanity URL in two ways. The first way of targeting was via direct links. Check Point states that this would have allowed a hacker to directly change the Zoom invitation link that might be difficult to recognise by a person without “particular cyber-security training.”
The second way of targeting Zoom users was through dedicated Zoom Web interfaces. Some organisations have their own Zoom Web interface for conferences.
“A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface,” Check Point noted.
These two methods of manipulating vanity URLs would have allowed hackers to steal Zoom users’ data. The issue has been fixed by Zoom, according to Check Point.
Notably, the cybersecurity firm had worked with Zoom earlier in January to fix another potential vulnerability that could have allowed hackers to join a meeting uninvited (also known as Zoombombing). After Check Point pointed out the issue, Zoom introduced passwords by default for all future scheduled meetings.