Zoom URL flaw could have allowed hackers to steal sensitive info

Zoom has since fixed the flaw

Zoom has fixed a flaw with its customizable URL feature that would have allowed hackers to steal sensitive information from users, new research shows.

Ticker Security Last Change Change %
ZM ZOOM COMMUNICATIONS INC. 83.11 +0.42 +0.51%

The vulnerability in video conference app's "Vanity URL," or customizable URL feature, allowed a bad actor to impersonate an organization's Vanity URL and send a fraudulent invitation that appeared to be legitimate to the victim, according to new findings from cybersecurity company CheckPoint.

IS ZOOM SAFE?

A bad actor also could have directed a victim to a sub-domain (a sub-section of a primary website's address) webpage, "where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization," Check Point researchers wrote in their findings.

ZOOM RESPONDS FOLLOWING CHINA CONTROVERSY

In other words, a hacker could have posed as a legitimate company employee, sent a victim an invitation from an organization’s Vanity URL, directed that victim to another webpage and attempted to steal that victim's credentials and information, an act known as "phishing," according to CheckPoint.

In this photo taken of a computer screen April 15, 2020, shows the Michigan Supreme Court who broke new ground by hearing two cases via Zoom video conferencing. (AP Photo/Ed White)

A Zoom spokesperson said the company has "put additional safeguards in place for the protection of its users" in response to CheckPoint's findings.

"Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue," the spokesperson said.

BIG-NAME TWITTER ACCOUNTS HACKED IN BITCOIN 'SCAM'

As CheckPoint researchers note in their findings, Zoom has seen unprecedented growth during the coronavirus pandemic. It grew from about 10 million daily meeting participants in January to more than 300 million in April. Such a surge has exposed a number of flaws with the video conference app.

Zoom has come under the pressure of Congressstate lawmakers and the FBI over privacy and security concerns that have since been fixed over the course of the past several months.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

As part of the app's new 90-day security plan that launched in April, Zoom has been releasing security progress over the course of three months. In its latest July 1 report, Zoom noted that it has released "100 new features" since the plan launched, including stronger encryption for all users, the ability to report users, cloud recording expiration and more.

CLICK HERE TO READ MORE ON FOX BUSINESS