In a report shared with The Hacker News, researchers at cybersecurity firm CheckPoint today disclosed details of a minor but easy-to-exploit flaw they reported in Zoom, the highly popular and widely used video conferencing software.
The latest Zoom flaw could have allowed attackers mimic an organisation, tricking its employees or business partners into revealing personal or other confidential information using social engineering tricks.
We know, social engineering attacks may sound a bit boring, but someone used the same to put Twitter on fire just last night when hundreds of high-profile Twitter accounts were hacked to promote a cryptocurrency scam, all thanks to an employee’s compromised internal tooling account.
The said vulnerability resides in Zoom’s customisable URL feature dubbed Vanity URL, aiming to let companies create a custom URL on its subdomain and branded landing page, such as “yourcompany.zoom.us,” where the invitation link to a meeting then looks like https://organisation_name.zoom.us/j/##########, instead of regular https://zoom.us/j/########## format.
CheckPoint team found that due to improper account validation, any meeting ID could have been launched using any organisation’s Vanity URL, even if a meeting was set up by a separate individual account.
“The security issue is focused on the sub-domain functionalities,” the researchers said. “There are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organisation’s customised sub-domain web UI.”
Attackers can exploit this loophole in two ways:
- Attack via direct links: A hacker can change the invitation URL, such as https://zoom.us/j/##########, to include a registered sub-domain of their choice, like https://< organisation’s name>.zoom.us/j/##########, when setting up a meeting. A user receiving this invitation link may fall under the attacker’s trap, thinking that the invitation was genuine and issued from a real organisation.
- Attacking dedicated Zoom web interfaces: Since some organisations have their Zoom web interface for conference calls, a hacker could also target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual Zoom web interface and join the relevant Zoom session.
The impact of this issue can lead to a successful phishing attempt, allowing the attackers to pose as a legit employee of the company, which potentially enables them to steal credentials and sensitive information and carry out other fraud actions.
images from Hacker News