Update on July 16: A Zoom spokesperson reached out to Laptop Mag to reassure users that the security issue has been fixed: “Zoom has addressed the issue reported by Check Point and put additional safeguards in place for the protection of its users. Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue." The spokesperson also encouraged users to send detailed reports of all security-flaw discoveries to firstname.lastname@example.org (opens in new tab)
Zoom just can't win. The videoconferencing platform — plagued with security issues and PR disasters — was on a path to redemption. But Check Point Research, a cybersecurity firm, poked another hole in Zoom's already fragile reputation.
Capitalizing on Zoom's vanity URL feature, Check Point researchers discovered that hackers could pose as trusted individuals to phish for sensitive information.
- Zoom gets a new game-changing feature -- goodbye, Google Meet
- Zoom vs. Teams: Which video conferencing app is right for you?
- Zoom update 5.0 fixes nasty security issues: How and when to get it
How hackers could use Zoom's vanity URL feature for phishing attacks
Zoom's vanity URL feature allows business users to create custom URLs for their organization. For example, if we created a vanity URL with Zoom, it would be LaptopMag.zoom.us.
Prior to Zoom's fix, a hacker could manipulate ID meeting links and pose as a fellow employee. Appearing to be a legitimate member of the organization, the attacker could send invitations to a victim, which could provide a gateway for the hacker to steal credentials and sensitive information.
In other words, a hacker would have been able to generate a standard meeting link on Zoom (e.g. https://zoom.us/j/67844124) and simply tack on the organization's business name in front of the URL (e.g. LaptopMag.zoom.us/j/67844124). The URL would still work to the attacker's delight. The hacker could email this manipulated link to employees of a targeted organization, entice them to join the Zoom session and phish for sensitive information.
"Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization," Check Point Research investigators wrote.
Zoom has resolved the vanity URL issue
Thankfully, Zoom has quickly nipped the issue in the bud.
"All the details of how an attacker could impersonate an organization’s Zoom subdomain links or actual sub-domain website discussed here were responsibly disclosed to Zoom Video Communications, Inc. as part of our ongoing partnership and cooperation. This security issue has been fixed by Zoom, so the exploits described are no longer possible," the Check Point researchers added.
The last thing Zoom needs is another security vulnerability to rattle its reputation in the press. The super-popular videoconferencing platform is expanding into the hardware market, according to TheVerge, with a $600 device called Zoom For Home — DTEN ME.
DTEN ME is a 27-inch, 1080p touchscreen display that is equipped with three smart webcams and eight built-in, noise-reducing microphones. The device also comes with pre-installed Zoom software.
Considering Zoom's cringe-worthy history of security flaws, some folks may be apprehensive about bringing a Zoom device into their home. The company must continue working on rebuilding its trust with consumers to win over the hardware market.