The Zoom video conferencing service resolved a security issue with its custom URL system that allowed criminals to use it to scam or install malware. The fault was identified by the company Check Point Research, which gave more details about its operation.
- Privacy and data protection: vulnerabilities in Zoom, Chrome and Flash Player
- Zoom Announces Monitor with Remote Work Cameras for Video Conferencing
- Zoom stops launching functions to focus on security
The problem was with the intuitive URLs feature, which allows you to create custom addresses for call invitation links – for example, FreeGameGuide.zoom.us. The subdomain used (which in this case is “canaltech”) could be tampered with to trick a guest user, who would be tricked into believing that it is an official company room at the address.
Another flaw identified by Check Point was in the personalized portals by companies to access Zoom. When trying to enter a room with the “Join” button, the next screen asked for an identifier for the meeting, without differentiating whether it was related to the company on the previous page.
As in the other case, the feature allowed a hacker to impersonate a company employee, deceiving the user – who had no way of confirming the authenticity of the created room. The trick could be used to steal sensitive information, login data and passwords and even instruct you to install malware.
Check Point has now released details of the flaws after notifying Zoom. The security problems were solved by the videoconferencing company.