Security Experts:

Connect with us

Hi, what are you looking for?



Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.

A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.

Zoom has drawn a lot of attention over the past several weeks, especially since many organizations have asked employees to work from home during the current COVID-19 pandemic, and, for many, Zoom has become the main option for internal communication.

Talos security researchers discovered that it was possible for a malicious actor to obtain a complete list of Zoom users inside a specific organization. The issue, they say, resided on the server side and has already been addressed.

The vulnerability, the researchers say, affected a function that the video conferencing solution provides users with to allow them find contacts within the organization.

Zoom’s chat is based on the XMPP standard, meaning that the client sends a “group query” XMPP request specifying a group name, which in this case is actually a registration email domain.

Because the server did not validate the request to ensure that the user making it belonged to a queried domain, arbitrary users could request contact lists of arbitrary registration domains.

To exploit the issue, an attacker would need to properly authenticate to Zoom with a valid user account, then send a crafted XMPP message to receive a list of users associated with the targeted domain.

The reply from the Zoom server provided the attacker with a directory of users registered under that domain.

“This includes details such as the autogenerated XMPP username along with the user’s first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user’s email address, phone number and any other information that is present in their vCard,” Cisco Talos reveals.

The vulnerability, the researchers say, could have been exploited in a spear-phishing attack against known individuals to obtain the email addresses of all the Zoom users within an organization.

Such an attack mainly exposes users who have recently had to install new software for remote working, especially if the attacker tailors the socially-engineered emails to supposedly provide instructions on how a “new or updated Trojan horse ‘Zoom client’” can be installed.

“With video teleconferencing suddenly becoming a business-critical function, attackers can be expected to look for weaknesses that can be exploited in order to further their malicious goals. Organizations need to be aware of the risks of user enumeration attacks such as these and take the necessary steps to mitigate such attacks,” Talos concludes.

Zoom appears to have already patched the flaw. Because the vulnerability resided server-side, users and administrators do not need to take additional steps to remain protected.

Related: Zoom Credentials Database Available on Dark Web

Related: Keys Used to Encrypt Zoom Meetings Sent to China: Researchers

Related: Zoom Working on Security Improvements Amid More Bans

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.