Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack.
Hackers could have taken advantage of the exploit in two ways. One involved changing a vanity URL (i.e. http://[whatever].zoom.com) to include a direct link to a phony meeting. The other centered around targeting an organization’s own Zoom web interface, and urging a victim to enter their meeting ID into a malicious vanity URL instead. A video shared by Zoom and Check Point Research, which helped identify and resolve the issue, shows how the exploit worked.
Zoom’s popularity exploded amid the COVID-19 pandemic as people were looking to chat with friends, family and co-workers via video call. In December, around 10 million people participated in Zoom meetings each day, but by April, that figure had shot up exponentially to 300 million. It just launched a lineup of video-calling devices targeted at people who are working from home.
