Exploiting a security vulnerability in the videoconferencing application, cybercriminals could use fraudulent invitations to deceive their victims. Experts say this threat has already been averted, but it is worth paying attention to.
Zoom has announced that it has fixed a serious security flaw that allowed hackers to distribute corporate invitations to online meetings that appear to be authentic. The problem was discovered by CheckPoint in an additional feature of Zoom, which allows companies to create a so-called Vanity URL, which is a zoom subdomain containing the company name, and include it in conference invitations.
Hackers abusing this option have modified the authentic, registered Vanity URL (e.g. http: //companyname.zoom.com) to include a direct link to an appointment, and if the victim has dropped a fake invitation, their device may be harmful
Despite the fact that the current loophole has been sewn in, security experts warn that we should double-check whether a sudden invitation is real. It may be a bit of a joke or a chore, of course, to ask, “Boss, are we really going to have a Zoom meeting at two o’clock tomorrow?”
The popularity of Zoom has skyrocketed in the wake of the coronavirus epidemic: while only about ten million people attended zoom meetings a day in December, 300 million “zoomed in” daily in April.
From a security point of view, however, the service has been widely criticized from the outset. The company has failed to patch the vulnerabilities in recent months and has also set up a separate body to deal with security issues. In addition, it has announced the introduction of full end-to-end encryption (E2EE) to protect video chats. Initially, they wanted to provide this service only to paid customers, but due to the high pressure, it was decided that all users would receive increased protection.