|ZM||ZOOM VIDEO COMMUNICATIONS, INC.||343.09||+1.52||+0.45%|
The vulnerability in video conference app's "Vanity URL," or customizable URL feature, allowed a bad actor to impersonate an organization's Vanity URL and send a fraudulent invitation that appeared to be legitimate to the victim, according to new findings from cybersecurity company CheckPoint.
A bad actor also could have directed a victim to a sub-domain (a sub-section of a primary website's address) webpage, "where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization," Check Point researchers wrote in their findings.
In other words, a hacker could have posed as a legitimate company employee, sent a victim an invitation from an organization’s Vanity URL, directed that victim to another webpage and attempted to steal that victim's credentials and information, an act known as "phishing," according to CheckPoint.
A Zoom spokesperson said the company has "put additional safeguards in place for the protection of its users" in response to CheckPoint's findings.
"Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue," the spokesperson said.
As CheckPoint researchers note in their findings, Zoom has seen unprecedented growth during the coronavirus pandemic. It grew from about 10 million daily meeting participants in January to more than 300 million in April. Such a surge has exposed a number of flaws with the video conference app.
As part of the app's new 90-day security plan that launched in April, Zoom has been releasing security progress over the course of three months. In its latest July 1 report, Zoom noted that it has released "100 new features" since the plan launched, including stronger encryption for all users, the ability to report users, cloud recording expiration and more.