By April of this year, the Zoom platform hosted 300 million meeting participants per day, a thirty-fold increase over the figures of five months prior. As cyber crooks began to target the platform, the company launched a 90-day cyber security marathon to outpace them. While the ‘marathon’ has technically ended, the race to improve the platform’s security is still on.
Announced today, Zoom has just resolved a previously undisclosed vulnerability that could have posed a sizeable threat to organizations, their employees and their third-party contacts.
At the center of this story is the ‘Vanity URL’ feature on Zoom. In case you’re unfamiliar, a Vanity URL is a custom URL for a given organization, such as yourcompany.zoom.us. Custom URLs of this nature allow employees to access a site using single sign-on (SSO), a more secure method of logging on than using individual accounts.
The first Vanity URL attack method:
Prior to Zoom’s fix, a malicious actor could have launched an attack by spoofing an organization, acting as an employee, and sending out an illegitimate Zoom link. Once a victim joined the call, an attacker could have injected malware into the victim’s device, or executed a phishing attack.
A second Vanity URL attack method:
For organizations with dedicated Zoom web interfaces, a hacker could have targeted the interface and tricked a meeting participant into entering a meeting ID in the malicious Vanity URL. Once the user logged into the meeting, the hacker could have posed as an employee, and asked questions that prompted the meeting participant to share credentials and sensitive information.
Zoom has resolved the issue in collaboration with cyber security company Check Point Software. Experts expect for Zoom related cyber attacks to continue. Organizations and employees should remain vigilant in guarding against these cyber threats.
For technical details on the Vanity URL bug, click here.