Cybersecurity experts have discovered that custom URLs from Google Docs, Zoom, or Box can be copied or changed at will. A hacker could send a link without the victim suspecting a trap in the address.
It’s easier to usurp a large group than you might think. Researchers from Varonis, a company specializing in cybersecurity, have detected a flaw in the URLs of services such as Google Docs, Zoom or Box.
These companies use personalized web addresses to share files, invite someone to a video conference, etc. However, Varonis discovered that only part of this URL is protected, the rest is modifiable.
The researchers give an example in their report published on May 11, 2022. Zoom, the popular video conferencing application, offers its customers to customize the subdomain. So we could for example ask for an address numerama.zoom.com for our employees to initiate an online meeting or webinar.
Varonis experts have attacked the links of already recorded meetings or webinars and in many cases managed to modify the URL or redirect it to another address without the user noticing.
Thus it would be possible to offer an employee to view the last meeting recorded under the address numerama.zoom.com, but the latter was actually published to a fraudulent link. Regarding Zoom, in most cases, the application warned that the user was heading to another domain name.
A publicly shared google doc could contain a phishing link
Google Docs URLs, or Box – a content sharing application – have also been tested by Varonis. Regarding Box, the flaw is found in the file sharing links. A fake PDF could for example contain a phishing link.
As for Google Docs, an attacker can send a form to employees, asking them for personal information, without the victim having the slightest doubt. The address displayed will be that of the company.
Another trap, the hacker can also choose to make a google doc public and then modify its address. Again, the link may refer to a phishing site in order to infect or block the victim’s computer.
How to protect yourself when the address displayed is not suspicious? Or Emmanuel, director of research and security at Varonis explains that employees must be extra careful: “ If they receive a form, a file that has nothing to do with their daily work in the office, it is always best to discuss it with your superiors upstream to make sure that the company is indeed the source of this document. . »
” Obviously, it is also up to the groups mentioned to work on the security of their services. “, he adds. The three companies have all been informed by Varonis. Box confirms corrected the flaw, Zoom has integrated a prevention system but breaches would still remain in Google Forms and Docs.
A flaw far from trivial when we know that information theft is exploding: in 2021, the CNIL received nearly 3,000 notifications resulting from computer hacking, an increase of 128% compared to 2020. 70% targeted attacks on SMEs and micro-enterprises, hackers’ favorite victims.