Connect with us

Hi, what are you looking for?



Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.

A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.

Zoom has drawn a lot of attention over the past several weeks, especially since many organizations have asked employees to work from home during the current COVID-19 pandemic, and, for many, Zoom has become the main option for internal communication.

Talos security researchers discovered that it was possible for a malicious actor to obtain a complete list of Zoom users inside a specific organization. The issue, they say, resided on the server side and has already been addressed.

The vulnerability, the researchers say, affected a function that the video conferencing solution provides users with to allow them find contacts within the organization.

Zoom’s chat is based on the XMPP standard, meaning that the client sends a “group query” XMPP request specifying a group name, which in this case is actually a registration email domain.

Because the server did not validate the request to ensure that the user making it belonged to a queried domain, arbitrary users could request contact lists of arbitrary registration domains.

To exploit the issue, an attacker would need to properly authenticate to Zoom with a valid user account, then send a crafted XMPP message to receive a list of users associated with the targeted domain.

Advertisement. Scroll to continue reading.

The reply from the Zoom server provided the attacker with a directory of users registered under that domain.

“This includes details such as the autogenerated XMPP username along with the user’s first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user’s email address, phone number and any other information that is present in their vCard,” Cisco Talos reveals.

The vulnerability, the researchers say, could have been exploited in a spear-phishing attack against known individuals to obtain the email addresses of all the Zoom users within an organization.

Such an attack mainly exposes users who have recently had to install new software for remote working, especially if the attacker tailors the socially-engineered emails to supposedly provide instructions on how a “new or updated Trojan horse ‘Zoom client’” can be installed.

“With video teleconferencing suddenly becoming a business-critical function, attackers can be expected to look for weaknesses that can be exploited in order to further their malicious goals. Organizations need to be aware of the risks of user enumeration attacks such as these and take the necessary steps to mitigate such attacks,” Talos concludes.

Zoom appears to have already patched the flaw. Because the vulnerability resided server-side, users and administrators do not need to take additional steps to remain protected.

Related: Zoom Credentials Database Available on Dark Web

Related: Keys Used to Encrypt Zoom Meetings Sent to China: Researchers

Related: Zoom Working on Security Improvements Amid More Bans

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.