Zoom is once again facing a security breach that could be exploited by hackers to send fraudulent meeting invitations. Zoom revealed that it has patched a vulnerability that could allow an attacker to impersonate legitimate business accounts to defraud user information, steal data, and infect employees with malware.
This vulnerability was discovered by security company Check Point and disclosed to Zoom. The main problem is in the Zoom vanity URL function. This feature allows Business Package customers to create special meeting paths for their business, such as freewareshome.zoom.us. Unfortunately, hackers only need to make a few small mistakes to send attack invitations and don’t need much information about the user.
An attacker can create a normal path to the meeting according to standards (such as https://zoom.us/j/##########) and just change the name subdomain of any legal entity that comes before the URL (freewareshome. zoom.us/j/##########) and the meeting is still easily accessible.
This makes it easier for users to be deceived that they receive meeting invitations from the companies they know. And hackers can steal authentication or sensitive information from users. In addition to forging manual meeting links, attackers can also abuse the custom Zoom web interface for businesses to trick users into joining malicious meetings.
Zoom has fixed the loophole, but it is unclear whether hackers can exploit them in practice. This is once again the online conferencing service that has been plagued by security incidents since it became popular during the Covid-19 season.