Security News > 2020 > July > Zoom Addresses Vanity URL Zero-Day
Disclosed by Zoom and Check Point on Thursday, the security flaw existed in the "Vanity URL" feature for Zoom, which allows companies to set up their won Zoom meeting domain, i.e. "Yourcompany.zoom.us." Companies can add customized logos and branding to the page, and end users access the page and click meeting links within that page to connect to a Zoom call.
"A hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface. As with the direct links attacks, without careful cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and have fallen prey to the attack."
"Zoom has addressed the issue reported by Check Point and put additional safeguards in place for the protection of its users," a Zoom spokesperson told Threatpost, adding that the firm did not consider the issue a zero-day bug.
"Because Zoom has become one of the world's leading communication channels for businesses, governments and consumers, it's critical that threat actors are prevented from exploiting Zoom for criminal purposes," added Adi Ikan, group manager at Check Point, in a statement to media.
"It's no surprise that the explosive growth in Zoom usage has been matched by an increase in new domain registrations with names including the word 'Zoom', indicating that cybercriminals are targeting Zoom domains as phishing bait to lure victims," the firm's analysis noted.