Check Point security and Zoom announced on Thursday that a new zero-day has been discovered within the “Vanity URL” feature on Zoom, which allows companies to create their own meeting domain. Through exploiting this zero-day, attackers could pose as a company employee, and then use socially engineered conversation to extract sensitive information. The flaw has not been disclosed previously, however, could offer hackers the perfect avenue for stealing credentials and sensitive information.
Companies can use the Vanity URL feature to add logos and branding to the page, as well as click meeting links within the page to connect to a Zoom call. Not only is the feature convenient, but it is required for configuration if users want to turn on Single Sign-On for the video services. To exploit the zero-day, attackers would pose as a legitimate employee of the company, and then send a meeting invitation from a company’s Vanity URL to get targets to join.
Read More: Zoom Addresses Vanity URL Zero-Day