New flaw in Zoom allows fraudsters to breach into networks
By MYBRANDBOOK
The latest Zoom flaw could have allowed attackers to mimic an organization, tricking its employees or business partners into revealing personal or other confidential information using social engineering tricks. In a report shared, researchers at cybersecurity firm CheckPoint disclosed details of a minor but easy-to-exploit flaw they reported in Zoom, the highly popular and widely used video conferencing software.
We know, social engineering attacks may sound a bit boring, but someone used the same to put Twitter on fire just last night when hundreds of high-profile Twitter accounts were hacked to promote a cryptocurrency scam, all thanks to an employee's compromised internal tooling account.
The said vulnerability resides in Zoom's customizable URL feature dubbed Vanity URL, aiming to let companies create a custom URL on its subdomain and branded landing page.
Cyber security team found that due to improper account validation, any meeting ID could have been launched using any organization's Vanity URL, even if a meeting was set up by a separate individual account.
"The security issue is focused on the sub-domain functionalities," the researchers said. "There are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organization's customized sub-domain web UI."
Attackers can exploit this loophole in two ways:
Attack via direct links: A hacker can change the invitation URL, when setting up a meeting. A user receiving this invitation link may fall under the attacker's trap, thinking that the invitation was genuine and issued from a real organization.
Attacking dedicated Zoom web interfaces: Since some organizations have their Zoom web interface for conference calls, a hacker could also target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual Zoom web interface and join the relevant Zoom session.
The impact of this issue can lead to a successful phishing attempt, allowing the attackers to pose as a legit employee of the company, which potentially enables them to steal credentials and sensitive information and carry out other fraud actions.
Cyber Security researchers responsibly disclosed the issue to Zoom Video Communications Inc. and worked together to address it and put additional safeguards in place for the protection of users.
"Because Zoom has become one of the world's leading communication channels for businesses, governments and consumers, it's critical that threat actors are prevented from exploiting Zoom for criminal purposes," Adi Ikan, Group Manager at Check Point Research, told the press.
"Working together with Zoom's security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service's benefits."
Earlier this year, the Security Research team also worked with Zoom to patch a severe privacy bug that could have allowed uninvited people to join private meetings and remotely eavesdrop on private audio, video, and documents shared throughout the session.
Due to the ongoing coronavirus outbreak, the usage of Zoom video conferencing software has skyrocketed from 10 million daily meeting participants back in December 2019 to more than 300 million in April 2020, making it a favourite target of cybercriminals.
Just last week, Zoom patched a zero-day vulnerability in all supported versions of the Zoom client for Windows that could have allowed an attacker to execute arbitrary code on a victim's computer running Microsoft Windows 7 or older.
Last month, Zoom addressed two critical security vulnerabilities in its video conferencing software for Windows, macOS, or Linux computers that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely.
In April, a series of issues were uncovered and reported in Zoom, which raised privacy and security concerns surrounding the video conferencing software among millions of its users.
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
AMARA RAJA POWER SYSTEMS LTD.
DIGISOL SYSTEMS LTD.
VVDN TECHNOLOGIES
POLYCAB INDIA PVT. LTD
ICONS OF INDIA : SACHIN BANSAL
Sachin Bansal is an Indian entrepreneur. He is best known as the found...
ICONS OF INDIA : VIJAY SHEKHAR SHARMA
Vijay Shekhar Sharma is an Indian technology entrepreneur and multimil...
ICONS OF INDIA : VINAY SINHA
Vinay Sinha is the Managing Director of Sales for the India Mega Regio...
CERT-IN - Indian Computer Emergency Response Team
CERT-In is a national nodal agency for responding to computer security...
LIC - Life Insurance Corporation of India
LIC is the largest state-owned life insurance company in India...
RailTel Corporation of India Limited
RailTel is a leading telecommunications infrastructure provider in Ind...
Indian Tech Talent Excelling The Tech World - NIKESH ARORA, Chairman CEO - Palo Alto Networks
Nikesh Arora, the Chairman and CEO of Palo Alto Networks, is steering ...
Indian Tech Talent Excelling The Tech World - PADMASREE WARRIOR, Founder, President & CEO - Fable
Padmasree Warrior, the Founder, President, and CEO of Fable, is revolu...
Indian Tech Talent Excelling The Tech World - Sundar Pichai, CEO- Alphabet Inc.
Sundar Pichai, the CEO of Google and its parent company Alphabet Inc.,...