Zoom fixed a vanity URL issue that could have led to phishing attacks

It's been beefing up security since a pandemic-driven explosion in popularity.

Sponsored Links

Kris Holt
July 16, 2020 6:00 AM
Young man distracted while on  video call from his home during lockdown
Alistair Berg via Getty Images

Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack.

Hackers could have taken advantage of the exploit in two ways. One involved changing a vanity URL (i.e. http://[whatever].zoom.com) to include a direct link to a phony meeting. The other centered around targeting an organization’s own Zoom web interface, and urging a victim to enter their meeting ID into a malicious vanity URL instead. A video shared by Zoom and Check Point Research, which helped identify and resolve the issue, shows how the exploit worked.

Zoom’s popularity exploded amid the COVID-19 pandemic as people were looking to chat with friends, family and co-workers via video call. In December, around 10 million people participated in Zoom meetings each day, but by April, that figure had shot up exponentially to 300 million. It just launched a lineup of video-calling devices targeted at people who are working from home.

With the increased attention on Zoom came more focus on its security and privacy issues. The company has been trying to fix some of its vulnerabilities in recent months, having announced a 90-day plan in April to beef up security. Among the measures it undertook were the formation of a security council and the rollout of a patch packed with security updates.

Zoom also announced it would incorporate end-to-end encryption (E2EE) on video calls for greater security. At first, it was only going to enable E2EE for paying customers, before it relented and said it’d offer it to all users.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget