Researchers have discovered several URL spoofing bugs in Box, Zoom and Google Docs that would allow phishers to generate links to malicious content and make it look like it’s hosted by an organization’s SaaS account.
Many attacks are made possible
The vulnerabilities arise for a lack of validation of so-called vanity URLs, and they allow attackers with their own SaaS accounts to change the URL of the pages hosting malicious files, forms and landing pages, as to maximize their potential to trick users.
“These spoofed URLs can be used for phishing campaigns, social engineering attacks, reputation attacks, and malware distribution,” Varonis researchers noted.
“Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire.”
The researchers have demonstrated the exploitability of these flaws by:
- Hosting a malicious PDF and a phishing form on their test Box account, then creating file-sharing and public file-request URLs and changing the subdomain in those (and the links continued to work!)
- Creating malicious registration pages, employee login pages, and pages hosting meeting recordings, and make their URL and even their branding reflect that of a popular brand (Apple)
- Creating Google Forms and Docs (the latter shared via the “publish to web” option) impersonating a specific company/brand
Mitigation
The URL spoofing vulnerabilities have already been fixed by, box but not all have been mitigated in zoom and Google Docs.
“We can still reproduce the Google Docs and Google Forms bug. We can reproduce the Zoom webinar registration and recording in certain circumstances, but the user does get a warning message in all cases,” the varonis research team told Help Net Security.
“We’re still in communication with Google and Zoom in case they need more details, but haven’t been provided insight into whether they plan to make additional fixes.”
Since vanity URLs exist in many different SaaS applications, they advise organizations to educate employees on the risk of blindly trusting links including the organization’s subdomain or that of a popular brand, and to be careful when asked to submit sensitive information via forms – even if those forms appear to be hosted by their company’s sanctioned SaaS accounts.