Home>Blog>The Hacker News Headlines>A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations
The Hacker News Headlines

A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

zoom vulnerabilityzoom vulnerability

In a report shared with The Hacker News, researchers at
cybersecurity firm CheckPoint today disclosed details of a minor
but easy-to-exploit flaw they reported in Zoom, the highly popular
and widely used video conferencing software.

The latest Zoom flaw could have allowed attackers mimic an
organization, tricking its employees or business partners into
revealing personal or other confidential information using social
engineering tricks.

We know, social engineering attacks may sound a bit boring, but
someone used the same to put Twitter on fire just last night when
hundreds of high-profile
Twitter accounts were hacked[1]
to promote a cryptocurrency scam, all thanks to an employee’s
compromised internal tooling account.

The said vulnerability resides in Zoom’s customizable URL
feature dubbed Vanity URL, aiming to let companies create a custom
URL on its subdomain and branded landing page, such as
yourcompany.zoom.us,” where the invitation link to a
meeting then looks like
https://organization_name.zoom.us/j/##########, instead of
regular https://zoom.us/j/########## format.

CheckPoint team found that due to improper account validation, any
meeting ID could have been launched using any organization’s Vanity
URL, even if a meeting was set up by a separate individual account.

“The security issue is focused on the sub-domain
functionalities,” the researchers said. “There are several ways to
enter a meeting containing a sub-domain, including using a direct
sub-domain link containing the meeting ID, or using the
organization’s customized sub-domain web UI.”

Attackers can exploit this loophole in two ways:

  • Attack via direct links: A hacker can change the invitation
    URL, such as https://zoom.us/j/##########, to include a registered
    sub-domain of their choice, like https://< organization’s
    name>.zoom.us/j/##########, when setting up a meeting. A user
    receiving this invitation link may fall under the attacker’s trap,
    thinking that the invitation was genuine and issued from a real
    organization.
  • Attacking dedicated Zoom web interfaces: Since some
    organizations have their Zoom web interface for conference calls, a
    hacker could also target such an interface and attempt to redirect
    a user to enter a meeting ID into the malicious Vanity URL rather
    than the actual Zoom web interface and join the relevant Zoom
    session.

The impact of this issue can lead to a successful phishing attempt,
allowing the attackers to pose as a legit employee of the company,
which potentially enables them to steal credentials and sensitive
information and carry out other fraud actions.

imageimage

Check Point researchers responsibly disclosed the issue to Zoom
Video Communications Inc. and worked together to address it and put
additional safeguards in place for the protection of users.

“Because Zoom has become one of the world’s leading
communication channels for businesses, governments and consumers,
it’s critical that threat actors are prevented from exploiting Zoom
for criminal purposes,” Adi Ikan, Group Manager at Check Point
Research, told The Hacker News.

“Working together with Zoom’s security team, we have helped Zoom
provide users globally with a safer, simpler and trusted
communication experience so they can take full advantage of the
service’s benefits.”

Earlier this year, Check Point Research also worked with Zoom to
patch a severe privacy
bug[2] that could have allowed
uninvited people to join private meetings and remotely eavesdrop on
private audio, video, and documents shared throughout the session.

Due to the ongoing coronavirus outbreak, the usage of Zoom video
conferencing software has skyrocketed—from 10 million daily meeting
participants back in December 2019 to more than 300 million in
April 2020, making it a favorite target of cybercriminals.

Just last week, Zoom patched a zero-day
vulnerability[3]
in all supported versions of the Zoom client for Windows that could
have allowed an attacker to execute arbitrary code on a victim’s
computer running Microsoft Windows 7 or older.

Last month, Zoom addressed two critical
security vulnerabilities[4]
in its video conferencing software for Windows, macOS, or Linux
computers that could have allowed attackers to hack into the
systems of group chat participants or an individual recipient
remotely.

In April, a series of
issues were uncovered and reported in
Zoom, which raised privacy and security concerns surrounding
the video conferencing software among millions of its users.
[5][6]

References

  1. ^
    high-profile Twitter accounts were
    hacked     (thehackernews.com)
  2. ^
    severe privacy bug
    (thehackernews.com)
  3. ^
    zero-day vulnerability
    (thehackernews.com)
  4. ^
    two critical security
    vulnerabilities     (thehackernews.com)
  5. ^
    series of issues
    (thehackernews.com)
  6. ^
    reported in Zoom
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.