Technology
Zoom bug allowed anyone to use a company’s custom meeting URL
Cybersecurity professionals are still finding some big problems with .
On Thursday, researchers at online security firm Check Point their latest discovery: an exploit in Zoom which would have allowed any bad actor to use a company’s vanity URL for their own video meeting.
Here’s what this means. Basically, companies and organizations paying Zoom for video conferencing services can set up a unique vanity subdomain to brand their meetings right in the Zoom domain name. For example, a company can set up its video meetings to live on the URL https://YourCompany.zoom.us/meetingID.
This bug allowed anyone to setup their own Zoom meeting and add any subdomain registered with Zoom. Let’s say McDonald’s used a mcdonalds.zoom.us custom subdomain for its meetings. Anyone could have started their own meeting, add the “mcdonalds” subdomain to their own personal Zoom meeting link and the link would have worked. That URL would have led users who clicked it to the bad actor’s personal Zoom meeting.
Those attending the Zoom meeting could be tricked into believing they were on a conference call with the company mentioned in the subdomain. Attackers could have used this ability to pose as a company representative and social engineer real employees or customers into divulging sensitive information.
Furthermore, there was a secondary way in which this exploit could have been abused too.
Some companies with custom Zoom URLs set up branded web conference interfaces for its meeting logins. Continuing to use the example above, McDonald’s could have set up its own branded mcdonalds.zoom.us dashboard with company logo and other branding to act as a central space for its employees to login and input meeting IDs to attend.
The exploit allowed any ID meeting to be entered into a company’s branded Zoom interface, regardless of whether or not it was a meeting set up by a company employee. That means an attacker could’ve started their own meeting then direct a user to the mcdonalds.zoom.us dashboard to input the attacker’s meeting ID, and the user would have entered the attacker’s Zoom meeting.
It’s easy to understand how a user could easily think that if they entered a Zoom meeting through a web interface complete with McDonald’s branding, at the URL mcdonalds.zoom.us, they’d be under the belief that this was an official company Zoom conference.
Check Point provided some visuals regarding how the exploit could have been used in the video below.
“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented from exploiting Zoom for criminal purposes,” explained Check Point Group Manager Adi Ikan in a statement.
According to Check Point, the company worked together with Zoom to fix the issue. The company said that Zoom has also established additional security measures to protect users from being affected by this problem.
Zoom has become a standout tech success during the coronavirus pandemic. The video conferencing company millions of new users in a matter of months at the start of the COVID-19 lockdowns.
However, the company also its of during that time period too. The most notable issue involved , where uninvited users would find their way into a private Zoom conference and disrupt the meeting.
Since most of these came to light, Zoom has pledged to prioritize security issues. This latest security flaw could’ve caused some real problems, but thankfully the issue can no longer be exploited.
-
Entertainment7 days ago
‘Mufasa: The Lion King’ review: Can Barry Jenkins break the Disney machine?
-
Entertainment6 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment5 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment6 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment5 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment4 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment3 days ago
‘The Wild Robot’ and ‘Flow’ are quietly revolutionary climate change films
-
Entertainment4 days ago
CES 2025 preview: What to expect