What was the issue?
Zoom offered a feature to its customers known as vanity URL, where companies could have created their own custom invitation URL for sharing or could add a dedicated and customized website for this service. But due to this nature and a bug in it, any attacker could have just impersonated an organization’s vanity URL link and would have sent illegitimate invitations which looked authentic to the victims. Such an attack could be used to create a phishing campaign where attackers could impersonate the link redirect the victims to a fake website where they could collect the information entered by the target.
What impact this issue would have done?
The issues mentioned above could have been exploited in multiple ways in different scenarios and potentially targeted n number of people, corporations, education organizations, healthcare institutes etc. list is endless.
Has this issue been addressed ?
Check point and Zoom collaborated together to resolve this issue before it could have gone out of hand. Adi Ikan, Network Research and Protection Group Manager in Check Point said: “Our partnership with Zoom has provided Zoom users globally with a safer, simpler and seamless communication experience. cp<r> is dedicated to improve and thrive towards safer technologies, better secured infrastructures, and generally to enrich the greater intelligence community, and will continue such efforts by liaising with product leaders such as Zoom”. More details has been disclosed in the report here.