While vanity URLs have become a convenient way to personalize links, they also risk phishing attacks. Researchers have explained how different SaaS apps supporting vanity URLs could come under exploitation via phishing. Nonetheless, these firms, including Box, Google, and Zoom, have largely or completely addressed the underlying flaw to mitigate the risk.
Exploiting Vanity URLs For Phishing Attacks
Researchers from Varonis have elaborated on exploiting vanity URLs for conducting phishing attacks. Since the phishing links would appear almost similar to the legit ones, such phishing attacks could bear more potential to target victims.
As described, the popular SaaS apps, like Google, Zoom, and Box, allow creating “vanity URLs” – personalized links for sharing – for more reliable communications. Usually, the recipe for creating such links includes adding the company name as a subdomain to the original link.
However, the researchers observed a lack of legitimacy check with the apps for such URLs. Hence, an attacker could easily spoof such a link to create a legit-looking phishing link. The attacker could then use such links for email phishing, social engineering, and other spoofing attacks.
The researchers have explained different exploit scenarios for the relevant apps, Box, Google, and Zoom, in their post.
Following this discovery, the researchers reached out to Google, Box, and Zoom to report the matter. In response, the firms took appropriate steps to mitigate the flaw.
Specifically, Box addressed the spoofing issue, limiting the link spoofing to certain enterprise accounts only. Also, they have included a warning message with the generic file-submitting form, reminding the users if they really trust the site for file submission.
However, Zoom and Google are yet to fully address the matter. According to the researchers, Google has “approved and triaged” the bug, but the “publish to web” feature for Google Docs and Google Forms remains vulnerable. Likewise, Zoom has merely added a warning message, which users could possibly ignore in a hurry. Therefore, the researchers urge users to remain careful when accessing “branded Zoom links”, especially, when sharing sensitive data.
Let us know your thoughts in the comments.