Zoom resolves security issue that could be exploited to manipulate meeting IDs
This issue, if left as is, would have allowed a hacker to manipulate meeting IDs by posing as an employee of a potential victim organisation on Zoom.
Zoom and researchers at Check Point worked together to identify a security issue in Zoom's customisable URL feature. This issue, if left as is, would have allowed a hacker to manipulate meeting IDs by posing as an employee of a potential victim organisation on Zoom giving the hacker a vector for stealing credentials and sensitive information.
Zoom explained that a Vanity URL is the custom URL for a company, for example, yourcompany.zoom.us, and this vanity URL is needed for configuration if you want to turn on SSO (Sing Sign On).
Users can also brand this vanity page with a customised logo/branding and generally your end users don't get any access to this vanity page - they just click on the link to join a meeting here.
The security issue Zoom and Check Point fixed could have been exploited in two ways. One, a hacker could have manipulated the Vanity URL by targeting via direct links. While setting up a meeting the hacker could have changed the URL invitation to include a registered sub-domain of their choice. For example, if the original link was https://zoom.us/j/##########, the attacker could change it to https://<organization's name>.zoom.us/j/##########.
Without particular cybersecurity training on how to recognise the appropriate URL, a normal user receiving this invitation would not have been able to recognise that the invitation was not genuine or issued from an actual or real organisation or not.
The second way to exploit this security issue is by targeting dedicated Zoom interfaces. Some organisations have their own Zoom interface for conferences. A hacker could target this interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL instead of the genuine Zoom interface. Again, like with direct links, most people will not be able to recognise a malicious URL from a genuine one without appropriate training.
The hacker would begin by introducing themselves as legitimate employees of a company and send an invitation to from an organisation's Vanity URL to relevant users to gain credibility. Finally, when the user fell for the malicious URL, the hacker could steal credentials and sensitive information.
The issue has been fixed, so you can Zoom in peace now.
Follow HT Tech for the latest tech news and reviews , also keep up with us on Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.