A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.
Zoom has drawn a lot of attention over the past several weeks, especially since many organizations have asked employees to work from home during the current COVID-19 pandemic, and, for many, Zoom has become the main option for internal communication.
Talos security researchers discovered that it was possible for a malicious actor to obtain a complete list of Zoom users inside a specific organization. The issue, they say, resided on the server side and has already been addressed.
The vulnerability, the researchers say, affected a function that the video conferencing solution provides users with to allow them find contacts within the organization.
Zoom’s chat is based on the XMPP standard, meaning that the client sends a “group query” XMPP request specifying a group name, which in this case is actually a registration email domain.
Because the server did not validate the request to ensure that the user making it belonged to a queried domain, arbitrary users could request contact lists of arbitrary registration domains.
To exploit the issue, an attacker would need to properly authenticate to Zoom with a valid user account, then send a crafted XMPP message to receive a list of users associated with the targeted domain.
The reply from the Zoom server provided the attacker with a directory of users registered under that domain.
“This includes details such as the autogenerated XMPP username along with the user’s first and last names. This information combined with other XMPP queries could be leveraged to disclose further contact information including the user’s email address, phone number and any other information that is present in their vCard,” Cisco Talos reveals.
The vulnerability, the researchers say, could have been exploited in a spear-phishing attack against known individuals to obtain the email addresses of all the Zoom users within an organization.
Such an attack mainly exposes users who have recently had to install new software for remote working, especially if the attacker tailors the socially-engineered emails to supposedly provide instructions on how a “new or updated Trojan horse ‘Zoom client’” can be installed.
“With video teleconferencing suddenly becoming a business-critical function, attackers can be expected to look for weaknesses that can be exploited in order to further their malicious goals. Organizations need to be aware of the risks of user enumeration attacks such as these and take the necessary steps to mitigate such attacks,” Talos concludes.
Zoom appears to have already patched the flaw. Because the vulnerability resided server-side, users and administrators do not need to take additional steps to remain protected.