Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack.
Hackers could have taken advantage of the exploit in two ways. One involved changing a vanity URL (i.e. http://[whatever].zoom.com) to include a direct link to a phony meeting. The other centered around targeting an organization’s own Zoom web interface, and urging a victim to enter their meeting ID into a malicious vanity URL instead. A video shared by Zoom and Check Point Research, which helped identify and resolve the issue, shows how the exploit worked.
Zoom’s popularity exploded amid the COVID-19 pandemic as people were looking to chat with friends, family and co-workers via video call. In December, around 10 million people participated in Zoom meetings each day, but by April, that figure had shot up exponentially to 300 million. It just launched a lineup of video-calling devices targeted at people who are working from home.
With the increased attention on Zoom came more focus on its security and privacy issues. The company has been trying to fix some of its vulnerabilities in recent months, having announced a 90-day plan in April to beef up security. Among the measures it undertook were the formation of a security council and the rollout of a patch packed with security updates.
Zoom also announced it would incorporate end-to-end encryption (E2EE) on video calls for greater security. At first, it was only going to enable E2EE for paying customers, before it relented and said it’d offer it to all users.