Researchers revealed a method to validate subdomains failure within so-called vanity URLs by Box, Zoom, and Google Docs creating a powerful way to enhance their phishing campaigns
Vanity URLs can be customized to include a brand name and a description of the link’s purpose and typically redirect to a longer, generic URL. Widely used by software-as-a-service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and so on.
The vulnerabilities discovered in Box, Zoom, and Google Docs enable attackers to abuse the apparent reassurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.
They would normally block a faked or misspelled URL (like apple-support.zoom.us). Since it’s spoofing the REAL URL, there’s no way for these types of technologies to automatically filter or flag the URL as malicious.
Box, the popular cloud content management app, patched flaws affecting vanity URLs for file-sharing and public forms used to request files and associated information.
The file-sharing issue was exacerbated by an attacker’s ability to add password protection to malicious files and upload a targeted brand’s logo and recreate its color scheme, while the absence of branding on public forms makes it harder for victims to spot tell-tale design flaws.
Zoom had addressed the potential abuse of vanity URLs for meeting recordings and webinar registration pages “by warning users if they are being redirected to a different subdomain.
Attackers could also brand a Google Form requesting sensitive confidential data with the targeted company’s logo as yourcompanydomain.docs.google.com/forms/d/e/:form_id/viewform.
Google Doc documents exchanged via the ‘publish to web’ feature are similarly vulnerable and yet to roll out the feature.
This research was conducted by Varnonis security firm