A failure to validate subdomains within so-called ‘vanity URLs’ by Box, Zoom, and Google Docs created a powerful way to enhance their phishing
campaigns, security researchers have revealed.
Vanity URLs can be customized to include a brand name and a description of the link’s purpose (for example, brandname/registernow) and typically redirect to a longer, generic URL.
Widely used by software-as-a-service (SaaS) applications, vanity URLs are used to share or request files, invite users to register for events, and so on.
False sense of security
The vulnerabilities discovered in Box, Zoom, and Google Docs enable attackers to abuse the apparent reassurance vanity URLs offer recipients that they are dealing with a legitimate organization rather than cybercriminals.
Researchers from Varonis Threat Labs found that the SaaS applications validated vanity URLs’ URI (the unique sequence of characters at the end of the link), but not its descriptive subdomain