Briefly, Vanity URL is a feature that allows Zoom customers to create customized URLs. For instances, companies can create URLs with their firm names. As explained by Zoom on their support page,
A Vanity URL is a custom URL for your company, such as yourcompany.zoom.us. This vanity URL is required for configuration if you intend to turn on SSO (Single Sign On). Optionally, you can also brand this vanity page to have customized logo/branding but generally your end-users do not type to access this vanity page directly. Your end-users click a link to join a meeting.While the feature is useful, it was also very trivial for an adversary to exploit the feature for malicious purposes. Specifically, an attacker could add any subdomain to the customized URL to change the link. For instance, they could change a link appearing as https://zoom[.]us/j/7470812100 to https://<organization’s name>[.]zoom[.]us/j/7470812100.
Or, the attacker could do slight changes to the URL, such as changing the /j/ to /s/, that an average user would not guess.
Following this discovery, the researchers reached out to Zoom who then fixed the flaw following the report. Moreover, in their statement to Threatpost, a Zoom spokesperson urged users to remain vigilant.
Zoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust.
After their report, Zoom patched the vulnerability within a day with the release of version 5.1.3.
So, now that both the bugs are fixed, all Zoom users must ensure updating their devices to the latest version.