The popular video-conferencing platform Zoom has once again made it to the news due to back to back security issues. Last week, it was due to a remote code execution vulnerability affecting the Windows version. Right after patching it, another vulnerability affecting the Zoom Vanity URL feature popped up.
Zoom Vanity URL Zero Day
Researchers from Check Point Research have discovered a zero-day flaw affecting the Zoom client. The vulnerability affected the Vanity URL feature of Zoom. The researchers have shared the details of the flaw in a recent post.
Briefly, Vanity URL is a feature that allows Zoom customers to create customized URLs. For instances, companies can create URLs with their firm names. As explained by Zoom on their support page,
A Vanity URL is a custom URL for your company, such as yourcompany.zoom.us. This vanity URL is required for configuration if you intend to turn on SSO (Single Sign On). Optionally, you can also brand this vanity page to have customized logo/branding but generally your end-users do not type to access this vanity page directly. Your end-users click a link to join a meeting.
While the feature is useful, it was also very trivial for an adversary to exploit the feature for malicious purposes. Specifically, an attacker could add any subdomain to the customized URL to change the link. For instance, they could change a link appearing as https://zoom[.]us/j/7470812100 to https://<organization’s name>[.]zoom[.]us/j/7470812100.
Or, the attacker could do slight changes to the URL, such as changing the /j/ to /s/, that an average user would not guess.
Following this discovery, the researchers reached out to Zoom who then fixed the flaw following the report. Moreover, in their statement to Threatpost, a Zoom spokesperson urged users to remain vigilant.
Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust.
Zoom Windows RCE Flaw
Around a week ago, researchers from 0patch found remote code execution vulnerability in Zoom Client for Windows. While they did not share much details about the zero-day bug, they demonstrated the exploit in the following video.
After their report, Zoom patched the vulnerability within a day with the release of version 5.1.3.
So, now that both the bugs are fixed, all Zoom users must ensure updating their devices to the latest version.