Home > Tech > Tech Industry

Zoom bug allowed anyone to use a company’s custom meeting URL

Bad actors could have weaponized this.
By Matt Binder  on 
Share on Facebook Share on Twitter Share on Flipboard
Zoom bug allowed anyone to use a company’s custom meeting URL

Cybersecurity professionals are still finding some big problems with Zoom.

On Thursday, researchers at online security firm Check Point detailed their latest discovery: an exploit in Zoom which would have allowed any bad actor to use a company’s vanity URL for their own video meeting.

Here’s what this means. Basically, companies and organizations paying Zoom for video conferencing services can set up a unique vanity subdomain to brand their meetings right in the Zoom domain name. For example, a company can set up its video meetings to live on the URL https://YourCompany.zoom.us/meetingID.

This bug allowed anyone to setup their own Zoom meeting and add any subdomain registered with Zoom. Let’s say McDonald’s used a mcdonalds.zoom.us custom subdomain for its meetings. Anyone could have started their own meeting, add the “mcdonalds” subdomain to their own personal Zoom meeting link and the link would have worked. That URL would have led users who clicked it to the bad actor’s personal Zoom meeting.

Those attending the Zoom meeting could be tricked into believing they were on a conference call with the company mentioned in the subdomain. Attackers could have used this ability to pose as a company representative and social engineer real employees or customers into divulging sensitive information.

Furthermore, there was a secondary way in which this exploit could have been abused too.

Some companies with custom Zoom URLs set up branded web conference interfaces for its meeting logins. Continuing to use the example above, McDonald’s could have set up its own branded mcdonalds.zoom.us dashboard with company logo and other branding to act as a central space for its employees to login and input meeting IDs to attend.

The exploit allowed any ID meeting to be entered into a company’s branded Zoom interface, regardless of whether or not it was a meeting set up by a company employee. That means an attacker could’ve started their own meeting then direct a user to the mcdonalds.zoom.us dashboard to input the attacker’s meeting ID, and the user would have entered the attacker’s Zoom meeting.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

It’s easy to understand how a user could easily think that if they entered a Zoom meeting through a web interface complete with McDonald’s branding, at the URL mcdonalds.zoom.us, they’d be under the belief that this was an official company Zoom conference.

Check Point provided some visuals regarding how the exploit could have been used in the video below.

“Because Zoom has become one of the world’s leading communication channels for businesses, governments and consumers, it’s critical that threat actors are prevented from exploiting Zoom for criminal purposes,” explained Check Point Group Manager Adi Ikan in a statement.

According to Check Point, the company worked together with Zoom to fix the issue. The company said that Zoom has also established additional security measures to protect users from being affected by this problem.

Zoom has become a standout tech success during the coronavirus pandemic. The video conferencing company added millions of new users in a matter of months at the start of the COVID-19 lockdowns.

However, the company also faced its share of security issues during that time period too. The most notable issue involved Zoombombing, where uninvited users would find their way into a private Zoom conference and disrupt the meeting.

Since most of these came to light, Zoom has pledged to prioritize security issues. This latest security flaw could’ve caused some real problems, but thankfully the issue can no longer be exploited.

UPDATE: July 17, 2020, 9:49 a.m. EDT

Zoom has provided us with a statement on the vanity URL bug.

“Zoom has addressed the issue reported by Check Point and put additional safeguards in place for the protection of its users," said a Zoom spokesperson in an email. "Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue. If you think you’ve found a security issue with Zoom products, please send a detailed report to [email protected].”

Topics Cybersecurity

Recommended For You
Which books are going to go TikTok famous this year
By Christianna Silva
Cross the line by Simone Soltani / Fruit of the Dead by Rachel Lyon / Perfume And Pain by Anna Dorn
The TikTok ban is law. Here's what happens next.
By Tim Marcin
hand holding phone showing tiktok logo
What's your K-pop persona? Spotify wants you to take the quiz to find out.
By Elena Cavender
A purple screen displaying the K-pop persona process on Spotify
Yes, 'You wouldn't last an hour in the asylum where they raised me' is a Taylor Swift lyric
By Elena Cavender
Taylor Swift performing in a white dress surrounded by back up dancers in black outfits creating a haunting image.
Look out Substack, Ghost will join the fediverse this year
By Meera Navlakha
The Ghost logo.
More in Tech
Grab the Dyson Airwrap Long Complete for $140 off if you're a Best Buy Plus or Total member
By Lauren Allain
a person stands against a white background while using the dyson airwrap complete long hair styling tool with a brush attachment
Celebrate World Book Day by saving up to 80% on Kindle books at Amazon
By Lauren Allain
a person sits outside, under a tree while reading on a kindle device
The wildest lyrics on Taylor Swift's 'The Tortured Poets Department,' from 'Grand Theft Auto' to Charlie Puth
By Elena Cavender
Taylor Swift performing at The Eras Tour in a black and red jumpsuit giving major side eye.
TikTok for Business: Everything you need to know
By Mashable Contributor
TikTok for Business
Sign up for a yearlong membership to Instacart+ for under $85
By Lauren Allain
a person looks at their phone with the instacart carrot on the screen while standing over many bags full of groceries
Trending on Mashable
NYT Connections today: See hints and answers for April 25
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Wordle today: Here's the answer and hints for April 25
By Mashable Team
a phone displaying Wordle
NYT's The Mini crossword answers for April 25
By Mashable Team
Closeup view of crossword puzzle clues
NYT Connections today: See hints and answers for April 24
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Home Depot's famous 12-foot skeleton (and its new pet dog) go on sale today
By Haley Henschel
decorations from home depot's 2024 halloween collection
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!